Abusing the Internet of Things

(Rick Simeone) #1
4.Transmit the serialNumber and DeviceID to the malware author. As shown in the SIP
requests discussed previously, this is the secret information needed to initiate a connec-
tion to the baby monitor and listen in.

We can expect malware authors to incorporate scanning of the local network for baby
monitors. Once a device is located, such a scenario is easy to implement, given that all local
devices can authorize themselves for remote access to the WeMo Baby monitor. Malware
authors who are able to successfully compromise workstations and laptops in people’s homes
will also be able to gain access to every WeMo Baby monitor that is installed in those homes.


Some Things Never Change: The WeMo Switch


In many corporations, secure design is either well established or a mere afterthought across
the company’s product lines. Usually, the culture of an organization is influenced by the
extent to which the executive leadership, which is ultimately answerable to the board and to
the shareholders, acknowledges the importance of security. One clear example of this is the
famous memo sent by Bill Gates to all Microsoft employees in 2002, in which he wrote:


In the past, we’ve made our software and services more compelling for users by adding new features
and functionality, and by making our platform richly extensible. We’ve done a terrific job at that,
but all those great features won’t matter unless customers trust our software. So now, when we face
a choice between adding features and resolving security issues, we need to choose security. Our
products should emphasize security right out of the box, and we must constantly refine and
improve that security as threats evolve.

Gates’s memo came at a time when known vulnerabilities in Microsoft’s software were
being exploited by attackers all over the world. One prime example of this is the Nimda worm,
which was released in 2001 and became the most widespread Internet worm. This worm was
able to exploit multiple operating systems designed by Microsoft: Windows 95, 98, ME, NT,
and 2000.
Ten years later, Microsoft executive Craig Mundie released a statement to all Microsoft
employees reflecting on the Gates memo and the progress Microsoft had made:


Our internal and external work over the past ten years has unquestionably raised the bar in soft-
ware quality, and demonstrated our commitment to building trustworthy products. In security, we
are now widely recognized as a leader in secure development due to our rigorous implementation of
the Security Development Lifecycle and our willingness to make it available to others. In privacy,
we were the first company to publish privacy standards for developers and to provide consumers
with layered privacy notices. In reliability, better instrumentation such as Windows error reporting
enabled us to address system crashes, increasing productivity and alleviating user frustration.

SOME THINGS NEVER CHANGE: THE WEMO SWITCH 77
Free download pdf