IoT ‘Security Hopscotch’ Is No Game: Chris Roberts

Chris Roberts has been in the news a lot this week, for all the wrong reasons. Roberts was banned from United Airlines after tweeting on a flight about his theoretical ability to hack into a plane’s WiFi system. FBI agents detained him for an interview after his flight, and there is now a federal advisory alerting airline staff to look for passengers trying to hack into airplane WiFi.

Roberts began his session at the RSA conference today with a strong disclaimer, pointing out that everything he tweeted about was theoretical and that he’s one of the good guys, trying to help companies better secure their systems.

IoT Danger

Though he did not address his airline travel woes, Roberts did talk about what he referred to as “security hopscotch” across the increasingly connected Internet of Things (IoT) landscape, detailing how open interfaces and network misconfiguration could potentially enable an attacker to hack into a connected device in a person’s home and gain broader access to systems with sensitive data.

In the presentation, he offered the example of a WiFi user in a Starbucks who unwittingly gives an attacker access to an Internet-connected oven in his home.

“I call this the pot roast attack at Starbucks; he (the victim) wanted it medium rare, we decided to cremate it,” Roberts said.

Roberts opted to use an oven as his theoretical attack point because it provides an entry point into the victim’s house and is running the older Android 4.0.3 operating system, which has multiple known vulnerabilities. Using the oven, an attacker could theoretically gain access to other devices and systems on the network.

“Everyone is going to go home now and turn your Internet off? Yes?” Robert said.

In particular, Roberts urged users to take steps to protect network attached storage (NAS) devices that have public FTP (file transfer protocol) Internet access.

“I’m enjoying the fact that our intel engine can get information from you,” Roberts said. “But I’d much rather educate the user and tell them to shut it off from speaking directly to the Internet.”

Your Data, Your Responsibility

Noting that hackers are able to access sensitive data via the public Internet because technology is broken and/or the configuration is wrong, Roberts said, “It’s your data that is out there, you should protect it.”

Roberts advised organization and individual users to strive to better understand the privacy and configuration issues of connected devices.”Listening to this presentation and then doing nothing is not an option,” he said.

He wants organizations and individual users to take responsibility for their own privacy and security

“When you lose data you’re screwing with people’s lives. I don’t want to be just a number or a statistic on a cyber liability claim,” he said.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.