NEW YORK CITY – BlackBerry experts on Tuesday tapped into a tea kettle connected to the Internet of Things (IoT) during a live hack demonstration at the company’s 2016 Security Summit, and it was freaky.
While the idea of hacking someone’s tea kettle on the surface sounds like it would open the victim up to a myriad of grammar school pranks, BlackBerry’s demonstration proved the impact could have much more personal – and potentially devastating – consequences.
BlackBerry Technical Director Campbell Murray and BlackBerry Head of CyberSecurity Research and Development Fraser Winterborn showed just how minor vulnerabilities in our connected gadgets at home and in the office can be turned into huge exploits.
During the hack, Murray and Winterborn tapped into the kettle by creating a replica of the secure wireless network it was connected to. Since the fraud network’s signal was stronger than that of the secure network, the kettle connected to the replica network instead. Once the kettle latched on to their fake network, Murray and Winterborn were able to gain access to the passcode for the secure network, and in turn gain access to the previously secure network.
From there, Murray demonstrated how in an enterprise setting hackers could then easily gain access to sensitive communications that were left on what was thought to be a secure network without secondhand encryption from the device. This could especially be a problem in the case of enterprises that have a Bring Your Own Device (BYOD) policy.
The whole breach took less than 10 minutes.
Since the kettle has no memory itself, Murray said all traces of the attack would be gone once the device was turned off, leaving forensic investigators probing a breach at a loss as to how it was committed.
“What we have here is a tea maker but it could be anything, a coffee maker, a refrigerator, a blender,” Murray said. “Flawed security engineering can completely topple in a very short period of time.
In addition to presenting network vulnerabilities for enterprise, IoT gadgets also open the door for much more personal and unsettling exploits.
Using the example of a kettle that can be programmed to boil based on your location when you arrive home, Murray explained:
“It knows where you are, you compromise that app, we know where you are,” Murray said. “The loss of personal privacy issue around something so simple is quite significant.”
Yeesh.
Thankfully, BlackBerry said its team is already hard at work to help boost cybersecurity for the connected world.
Back in May, BlackBerry released DTSec, a new cybersecurity standard. Though the standard is aimed at medical devices, BlackBerry Chief Security Officer David Kleidermacher said Tuesday he believes the standard could be “the blueprint for high quality security assurance across the connected world.”
Blackberry said it also offers a number of Enterprise Mobility Management and Mobile Device Management solutions, like Good Secure, that offer on-device security measures to head off that second-hand access.