In a statement that speaks volume about the safety of the Internet of Things (IoT), it was revealed today (link via SlashDot) that Really Bad Software on a connected tea kettle was exploited to reveal Gmail passwords and other fun items. There’s even a YouTube Video demonstrating how fun it can be.
This bodes badly for systems security, whether it’s in a data center or in the cloud. What’s dramatic is that whether home worker or worker in the lunchroom of an organization, IoT devices, until vetted, represent astounding potential holes in systems security.
Unless your traffic is totally encrypted—with separate keys from each AP junction, correctly VLAN’d away from organizational assets—a simple tea kettle can be a back door to the network, and whatever resources it can find, rip by reading traffic flows, to anyone with a tasty antenna.
What is the meaning? IoT devices are going to be suspect, but even those that are built well—unlike the iKettle shown—will need updates because there will be new and more interesting crack methods that can apply. Those updates will need to come from vetted sources, with tamperproof delivery methods to send the update payloads to the devices.
In the interim, keys used in get/post commands to access cloud resources may need to be certificate-based/validated, with randomly rotated certificates to ensure that DNS and/or certificate authorities haven’t been compromised.
It all begs for a re-examination of how Internet Protocols work, and how we train IT staff to use them.
Hackfests like CCC, DEFCON, BlackHat, RSA, and other conferences need to continue their work. Certain retailers, however, need to consider the viability of the products on their shelf…perhaps a new datum for Underwriters Laboratories, the CSA, and other liability underwriting agency labs need to, so as to start something perhaps as important: IoT Pen Testing. No sticker? No importation.
