The Internet of Things (IoT) is placing an unprecedented number of unsecured devices on the internet every day. We all heard about IoT devices used to launch Denial of Service Attacks (DDoS) and toys violating your children’s data privacy. Can an IoT device be exploited to physically attack an unsuspecting user? “Yes, it can,” says security researcher Billy Rios, who shows the Black Hat 2017 attendees how.

IoT Device Physical Attack Exploit

Beware: The First Reported Physical IoT Exploit

One of the world’s most respected experts, Billy Rios specializes in detecting emerging threats related to software security, Industrial Control Systems (ICS), medical services, and critical infrastructure. Today he revealed to Black Hat USA 2017 attendees how vulnerable our society is to hacking attacks.

Rios used the following criteria when selecting the research objects:

  • connected to the internet;
  • accessible to the general public;
  • the exploitations of the devices tested can be leveraged to cause a safety issue.

Luckily for us, there are not too many devices that would match all the criteria. One of them, however, is the common location of my nightmares: welcome to a car wash that might try to trap you inside or hit you with a door.

Car wash

Rios’s exploit was possible due to zero-day vulnerabilities that he discovered at the Laserwash car wash. The vendor has not yet patched the flaws, which involve authentication bypass and the ability to disable or bypass safety mechanisms.

How Does It Work?

The remote exploit code causes the car wash to physically attack occupants, and all you need is an IP address of the car wash. Yes, your car wash location is connected to the internet and even sends out emails with the business reports. PDQ LaserWash runs an HTTP web server interface for remote administration and control, and the car wash equipment runs on Windows CE with an ARM processor. All of the HTTP calls to the web server go to DLLs. If an attacker obtains the default password for the owner or engineer and telnets in, he can potentially gain control of the car wash operations remotely. With an HTTP GET request, you can log in and get a free car wash or take one step further: disable the car wash’s sensors, and open and close the bay doors, as well as the bridge and trolley parts.

At the end of his presentation, Rios encouraged the IT professionals to give some thought to the inadequacy of the current risk scoring systems, which do not capture safety risks. There is no doubt that exploitation of a system that is solely relying on software to implement mechanical safety can eventually result in a loss of life. It should be considered a higher risk than a possibility of stealing supplies from a cabinet.

A vulnerability that compromises a TV and a vulnerability that compromises a car are currently scored the same way. But where this falls down is when you have a device that can actually hurt you. You want to differentiate between an issue that can physically hurt you and one that doesn’t.” — Billy Rios

IoT Security with NetFlow/IPFIX

In the age of the Internet of Things, billions of connected devices affect virtually every aspect of daily life and industry. Starting from sensors that can track human movement to a refrigerator reminding us that it is time to go grocery shopping, IoT devices will become an essential part of the modern landscape.

Even though we painted a very dark picture, not all is lost. There is no doubt security monitoring needs to take a preemptive stance and apply better monitoring practices. Do not wait for an IoT device to hit you on the head or trap you. Instead, start putting to good use the NetFlow data you can already collect from the existing network infrastructure. With a proper network traffic analytics system, we can take even the smallest conversations and then run algorithms against the traffic to alert you within minutes of a breach.

Since your IoT devices will be communicating on your network, you can monitor traffic for IoT vulnerabilities by using features like the Forensic Audit report to identify traffic to and from IoT devices and which ports and protocols they are using to communicate:

Scrutinizer: Vendor by MAC

If you want to learn more about IoT security, reach out to the NetFlow Knights today!

Anna McElhany

Anna is a Quality Assurance Analyst at Plixer. She is dedicated to creating customer-facing documentation and identifying any potential problems that users might encounter. Anna holds a degree in Computer Technology, the AWS Certified SysOps Administrator - Associate, CCNA R&S, CCNA Security, and CompTIA Network + and Security + certifications, as well as NSTISSI Security INFOSEC Professional recognition. In her free time, Anna enjoys spending time with friends and family, flying drones, and hiking.


Leave a Reply

Your email address will not be published.