'Internet of Things,' not privacy, to dominate at Black Hat
Security experts gather again in Vegas to show off and debate the latest in hacks and flaws, focusing this year on the latest risks facing Net-connected devices.
As many as 13 previously unknown vulnerabilities in home Wi-Fi routers and networked storage systems are set to be disclosed at the Black Hat computer security conference that kicks off in Las Vegas on Wednesday.
Known as zero-day vulnerabilities, they allow hackers to exploit previously unknown security flaws in a wide range of devices and software. Such security problems -- and the techniques that can be used to defend against them -- are a staple at the annual conference of elite hackers, researchers, experts, and analysts.
These vulnerabilities are notable not only because they're new, but because they represent the latest threat to the connected home, the holy grail of the so-called "Internet of Things" in which everything from your smoke detector to your light bulbs are connected to a central management hub. But beyond that hub lies the device that they must all run through to get access to the Internet: your Wi-Fi router.
Security researcher Jake Holcomb of Independent Security Evaluators followed more than a year and a half of research into the often unmitigated risks facing popular consumer Wi-Fi routers.
"While we put the spotlight on the problem [last year], nothing has changed," said Holcomb's colleague Ted Harrington, who complained that router manufacturers aren't emphasizing security as a selling point for the devices. There are several reasons for taking such a low-profile stance, including that adding security features like automatic firmware updates would likely raise the relatively low retail cost of routers, that the routers themselves don't need to be replaced very often, and that hacking these devices remains relatively unknown.
Although there haven't been many high-profile Wi-Fi router hacks, they have happened. One router hack earlier this year targeted more than 300,000 home Wi-Fi routers, while another infected far fewer devices but with self-replicating malware that was described as "scary."
The situation is problematic because the home router is the hub that Internet-connected devices will all have to filter through, Harrington said, and the router manufacturers aren't focusing on security as a feature.
"Consumers are not empowered. You can't buy the Volvo of routers," Harrington said, referring to the high safety rating of the Swedish cars. "It's as if you could only choose a car that didn't offer seat belts," he said.
While Black Hat this year will feature at least a dozen presentations on various Internet of Things security risks, a topic that won't get a lot of official attention at the conference is the aftermath of the US government's spying that was leaked by former NSA contractor Edward Snowden.
Last year's Black Hat keynote showcased a controversial speech by then-National Security Agency chief Keith Alexander at a time when many security researchers were feeling betrayed by the spying revelations. This year, the conference opted to go for the less contentious Dan Geer, chief information security officer of the Central Intelligence Agency's quasi-independent venture capital arm In-Q-Tel.
Geer, an expert in computer security risk analysis, is unlikely to make his speech overtly political as Black Hat organizers seek to re-draw the line between security and privacy.
At the same time, relying on Geer's expertise to anchor the conference indicates that the industry takes seriously the kinds of Internet-connected device risks that worry people like Harrington. At the inaugural Security of Things conference in Boston earlier this year, Geer said that securing the Internet of Things challenges how researchers have been thinking about security.
"I can't think of a field with a greater intellectual challenge than this one," he said. "This is more like being a fighter pilot, and less like being a industrial planner."
Security experts may agree that Internet-connected devices are a catastrophe waiting to happen unless practices change, but part of the problem is that they're still debating what the new standards should be. Harrington and others like him say they are hopeful that the security industry will figure out how to tighten controls and establish protocol for the myriad of items expected to jump on the Internet.
"If we keep attention on this, we're going to get to a better place," he said.
That's the good news. The bad news? We're "5 to 10 years" away from that better place. "In three years," Harrington said, "There could be a whole new class of things to worry about."
The connected home is coming, but so are its hackers.