Think Like a Hacker to Help Uncover Vulnerabilities on Connected Smart Devices

April 24, 2014
| |
3 min read

Earlier this year, smart refrigerators and televisions were being hacked and were subjected to greater cyber attacks, according to NPR. Also, according to Extreme Tech, it was recently discovered that a Tesla Model S can now be located, unlocked and burglarized with a hack through its connected iOS app. In my own household, we have accumulated a sizable pool of smart devices (smartphones, tablets, smart TVs, streaming media devices, smart thermostat etc.) — 18 of them, to be exact — that can be exploited; and this is not to mention the hundreds of apps running on some of them. You’re welcome, Mr. Black Hat.

I conducted a “smart” calculation of my own. What’s in your household?

Smart Devices: Risky Convenience

These connected smart devices provide us with an unprecedented level of convenience at our fingertips, yet they contain a treasure chest of personal and sensitive information that poses a security threat for simple everyday tasks that we take for granted.

A major theme that emerged from this year’s RSA conference in San Francisco was the growing abundance of personal electronics and smart devices that have embedded software and processors. Internet-connected cameras, industrial meters and sensors, home automation controllers and smart appliances all pose privacy and security risks for consumers and manufacturers. In the case of connected cars and health monitoring devices, these risks can be catastrophic and life-threatening.

3 Ways to Think Like a Hacker

This proliferation of smart devices has caused a renaissance in thinking about security. Attackers often look for vulnerabilities to gain root access on the device. Using this access, attackers can target communications, imaging and location data, install more malware or steal sensitive and confidential information.

Because many mobile platforms are not natively designed to provide comprehensive security, hackers have a strong incentive to develop new techniques or create mobile-centric malware specifically for these devices.

We understand the dangers of mobile device security. But how can manufacturers and enterprises protect themselves? While there may not be a silver bullet solution for mobile device security, organizations and individuals should start to think like hackers and use this approach to protect their smart devices by considering the following:

  1. The Path of the Attack: While mobile devices can certainly pose new threats to personal and enterprise data, it’s important to understand the likely avenues of attack and protect against them instead of viewing the whole mobility issue as a general threat. For example, it may be more efficient for attackers to directly attack the portal to which the mobile application connects and gain access to the entire data repository rather than “pick the pockets” of a multitude of mobile devices. Leveraging threat modeling to understand the specificity of potential attacks can put you back in the driver’s seat in combating these new waves of attacks.
  1. Check Your Inventory: You need to know the kinds of vulnerabilities that may exist on a specific device. Analyze the device’s physical and logical architecture, device driver, communication channels and storage containers, and take a hacker’s approach in order to uncover security issues through penetration testing and source code analysis of a device’s operating system, kernel module and applications. Just as importantly, the testing should be standardized so that it is repeatable as changes are made to the device and its software.
  1. Use Emerging Technologies: Hackers are discovering the benefits of compromising both business and personal data contained within mobile devices. Sandboxing, containerization and trusted transactions are all emerging technologies that promise to provide enhanced protection and to open up the willingness of security and IT executives to further enable mobile applications in the workforce.

The security of mobile devices has become a top concern for many IT executives. While manufacturers continue to embrace this unstoppable trend of embedding intelligence into every possible device and connecting devices to each other and the Internet, this level of sophistication also renders the devices targets for exploitation and security attacks.

Having the convenience provided by these connected smart and embedded devices should not come at the risk of the devices being attacked for malicious purposes or, worse, at the risk of physical damages or life-threatening incidents to their users. Such risks must be identified and mitigated before it is too late.

To learn more watch the on-demand webinar: Securing the Internet of Things

Erkang Zheng
Cybersecurity Strategist, IBM Security Services

Erkang is the Cybersecurity Strategist and Global Program Director for Consulting Product Management at IBM Security Services. He is responsible for developi...
read more