What could possibly go wrong?
What is the Internet of Things?
The IoT is a huge network of “things” or devices that are connected over the internet. These connections allow devices to talk to us, applications or to each other. This communication process between these devices is called machine-to-machine (M2M) communication.
The devices alone can act on the information they receive from each other. People can also interact with them by giving them instructions or accessing the data available. Most of these devices can work on their own without human help.
Apart from making our lives easier or improving the way we live, the devices can also generate a huge amount of internet traffic and data due to the vast number of sensors being used.
It is estimated that by 2020, 1.6 zettabytes will be generated alone. This itself can create a large amount of personal and sensitive data, thus creating a bigger risk.
Gartner, An Analyst firm, has said that by 2020 there could be over 26 billion connected devices, some estimate that even this huge figure could be much higher, approaching 100 billion.
With IoT devices and the data they generate expanding rapidly, security needs to be at the forefront of the manufacturers and businesses minds before a potentially large amount of personal data becomes vulnerable and exploited.
What could go wrong?
Originally, these IoT devices are created to help improve our lives. They are there to help make our day that little bit easier, to give us a heads up when we may not know what to look for, to save us time and be more efficient in our day to day lives, but are these devices really helping at all?
What happens when they get hacked?
Context, an independent consulting firm focused on Cyber Security, discovered a vulnerability on the Cloudpet web app. The Context team was testing out Bluetooth LE to see where they could get with it. They wrote a RaMBLE android application that would scan the device with BLE.
The researcher came across the CloudPet toy when running RaMBLE on his way to work. A device named ‘CloudPets B 1.0.19’, showed up and after Googling it, he found a range of teddy bears that use Bluetooth LE to communicate with an application on a smartphone.
The app uses Bluetooth LE to upload the recorded audio message to the toy. The child can then press the teddys right paw to receive the message. The option to have the child record their own message is also available by pressing the teddys left paw. The app can then retrieve the recorded message again through Bluetooth and send it back to the parent or loved one.
In a blog written by Paul Stone from Context, he decided to reverse engineer the Bluetooth LE device and then used Chromes Web Bluetooth API to hack this device. He used the API to then write a webpage that could connect to this device and take control of it.
The Web Bluetooth is a specified draft that can allow a web browser to communicate with Bluetooth LE devices using a GATT protocol. In Chrome 56 and onwards, this is enabled by default. At the moment, no other browsers support it.
Understandably, there are some issues allowing a webpage to interact with a Bluetooth device, but the way this API is configured prevents any web pages from automatically connecting devices. The individual needs to choose the single device that it wants to connect to.
With the Webpage configured and connected to a chosen Cloudpet teddy, you can access and control the following:
- Change the LED heart light on and off.
- Play recorded audio stored in any of the slots.
- Upload recorded audio from the phone to the toy using Media API.
- Access the recording function remotely.
- Playback any downloaded audio previously recorded.
The web page was designed for simplicity. No application is required. The code for this webpage is also available on GitHub for all to use.
The teddy has no Bluetooth security features built into it. There is no authentication enabled that will bond and pair the phone and teddy.
Many Bluetooth LE devices don’t use the authenticated function of pairing at all. This is usually for simplified user experience.
With many IoT devices, the manufacturers will choose their own security instead of the proper one.
Once switched on and not paired, it was found that anyone has the ability to connect to the teddy. Bluetooth LE has about a 10–30-meter range for connection.
This is a cause for concern, as anyone could simply stand outside your house, connect to the teddy and upload malicious or inappropriate recordings to the toy.
Is there a way to secure against this?
- Turn off when not in use.
- Throw the toy in the bin
- Never buy the toy in the first place.
The Cayla Doll
Another vulnerable device that was doing the rounds with the media is the interactive My Friend Cayla Doll. The Cayla toy doll hit the news in 2015 when the company pentestpartners disclosed how easy it was to hack Cayla and modify her responses to inappropriate words.
This was as simple as decompiling the apk file and modifying the database. The database was stored with all the good and bad phrases Cayla could say. This could be easily opened and changed.
After the modified app was uploaded back to the phone and Cayla connected to it, the hack was evident.
Cayla had changed from a children’s toy to a hacker plaything in a matter of minutes.
After the media made this more evident to users, an updated app was released and SQLcipher encryption was added to make it harder to reach and access the database.
My daughter had this doll a few years ago so I tested this hack out as part of a college assignment. Back then, they hadn’t implemented any new security features so it was easy to do.
Apart from the slower responses, Cayla answered the questions changed in the database. Here are a few that I changed.
- Question: Can you answer something for me?
- New Response: No, not in the humor
- Question: Please answer something.
- New Response: no, not in the humor.
- Question: Let’s test how smart you are.
- New Response: I’m fucking smarter than you are!!
- Question: I have a question/ I have a question to ask.
- New Response: ENOUGH IS ENOUGH! I HAVE HAD IT WITH THESE MOTHERFUCKING SNAKES ON THIS MOTHERFUCKING PLANE!
- Question: Tell me something.
- New Response: I don’t know who you are. I don’t know what you want. If you are looking for ransom, I can tell you I don’t have money. But what I do have are a very particular set of skills, skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my daughter go now, that’ll be the end of it. I will not look for you, I will not pursue you. But if you don’t, I will look for you, I will find you, and I will kill you.
- Question: How’s your day going?
- New Response: Fucking wonderful!!
You can see some of the changes in the database below.
These connected devices are becoming more and more integrated into the average household. The devices range from dolls like Cayla to the Amazon Echo to thermostats and smart kettles. With IoT becoming a broad range of devices, what will happen when your household becomes completely integrated with IoT and all vulnerable to attack?
What price will you Pay?
The internet of things (IoT) is a huge topic at the moment, especially in the tech industry.
There are many devices available that can range from checking your health statistics to making our coffee.
But does it come at a cost?
Many people do not know or understand the threat these devices hold until it’s much too late.
Cayla is now banned in Germany as it’s seen to pose a significant threat to the safety and security of children.
Cloudpets have been taken off the market. But what of the next vulnerable toy or device?
When it comes to IoT, security has not been the main focus. Many manufacturers instead decide on the quick production of the device, not thinking or worrying about the security issues it may have.
In a world where billions of IoT devices will be integrated into everyday households, security should be the main focus.