It's just an electric teakettle with WiFi capability — could it instead be an IoT device in your trucks or back office? (click to enlarge - Aaron Marsh/Fleet Owner)
The teakettle was connected wirelessly to an Apple iPhone to allow a user to, benignly enough, set up a schedule for it to boil. The iPhone was a BYOD (bring your own device) item an employee would use on the business' WiFi network, which had WK2 encryption. "It's not the best and not the worst enterprise-grade WiFi security you may have for your protection," Murray pointed out, "but for your average home office or small enterprise, this is what you'll most likely find."
Here's how they did it:
1. Get close enough to access the device's wireless connection. "We've got a bit of distance between the attack and the kettle. You can see there are no cables on the kettle, simply a power cord," said Murray. "It's communicating completely wirelessly, so Fraser could sit out in a car park or in the bushes in back of your office to perform all these functions."
2. Create a copy of the IoT device's secure WiFi network. Detecting the wireless network to which the kettle was connected, Winterborn created a copycat network. "It's not an exact copy; it's not a secure network. It's simply got the same name," Murray noted. "We refer to that as an SSID. You probably go home and your wireless network is called 'SmithsHome' or whatever you decided to call it."
3. Disconnect the IoT device from its proper network. "This is a feature, not a hack," Murray stressed. "It's actually how these things work. Quite often, enterprise networks might have multiple devices [connected], and if the phone stops working, you need to tell it to disconnect; if [a device] is not communicating, tell it to disconnect." Winterborn was able to de-authorize the wireless kettle from its network.
4. Connect the IoT device to your phony network. Murray explained the first security engineering flaw in the device: the kettle's wireless simply found a network with seemingly the correct name and a strong signal and reconnected, but had no verification it was the proper network.
"That kettle is now talking to us, not to its original network. That flaw in design, the lack of development-lifecycle assurance as they're putting this device together on the shop floor, means they've not really thought this through," Murray said. "They've not looked at the risks."
5. Get ready to send commands to the IoT device. In what he described as "a real problem" and the second security flaw, Murray noted the kettle had a very low-strength password to its own mechanism to communicate and receive commands.
"Whoever designed this really didn't put any thought into security, because the password is super-simple: It's six zeros," Murray said. "But obviously, it is a computing device, because the smartphone has to be able to communicate with it in some way."
6. Extract the password for the original WiFi network. "Now we have communication — we're now talking to the kettle and we're running one simple command," Murray told the audience. "We've extracted the stored WiFi password for the secure network.
"That's your third flaw: That password should not be stored in a reversible or unencrypted form," he continued. "There is no 'lay approach' to security."
7. Connect to the original secure WiFi network. "At this point, we've created no footprint as an attacker," said Murray. "We have the network key now, and we can pop that in quickly." Projected onto a large screen, the audience could then see data flowing within the secure network.
Read More