Abusing the Internet of Things

(Rick Simeone) #1

The number of devices used by a single user will increase the attack surface. Attackers
who have access to a single device will be able to steal private information and influence data
synced across devices, as well as steal information that can be used to command IoT devices.
Users, system administrators, and IoT device and application designers should think through
the ecosystem of devices that users are likely to have, along with the possible threat agents, to
architect solutions to mitigate these potential attack scenarios.


Hearing Voices


In 2007, Microsoft came under fire for a security hole in the speech-recognition component of
its newly released Windows Vista operating system. A malicious website could simply play an
audio file commanding the computer to delete files and empty the recycle bin, and the operat-
ing system would readily comply. Alternatively, an attacker could email the audio file to vic-
tims and lure them into playing it. Microsoft played down the risk, stating that it would be
unlikely for all the conditions required for such an attack to succeed to be met. Furthermore,
Microsoft stated that users would likely recognize the attack because they would hear the
audio instructions play; however, this assumes the users would be in the vicinity of their com-
puters at the time of the attack, which might not be the case if a delay was used before playing
the audio file.
Perhaps one reason this issue wasn’t taken very seriously by users was that not many peo-
ple leverage the speech function in desktop and laptop computers (except for individuals affec-
ted by impairments and related difficulties). When Vista was released in 2007, users primarily
used the keyboard, mouse, and trackpad as their modes of input. With the growing popularity
of intelligent, voice-operated personal assistant services like Siri and Cortana, however, this is
changing. Users are starting to enjoy and find value in commanding their smartphones and
other devices with their voices.
Jumping on the digital personal assistant bandwagon, Amazon recently released a prod-
uct called Echo (Figure 8-1) that is primarily voice operated, along with a companion smart-
phone app to configure it.


CHAPTER 8: SECURELY ENABLING OUR FUTURE—A CONVERSATION ON

(^234) UPCOMING ATTACK VECTORS

Free download pdf