Hacking the Internet of Things

The Internet Security (IS) Lab on the second floor of the Dibner Building usually holds weekly hack nights. These hack nights, run by students, are for Computer Science majors interested in an introduction to offensive computer security. This hack night, however, was unique: Students pored over a coffee pot.

“We don’t have a lot of people at a code level who understand this like you guys do,” explained Glenn Derene, Electronics Content Development Team Leader at Consumer Reports. “Who’s protecting consumers from devices that are spying on them?”

Consumer Reports is a nonprofit organization whose mission is to empower consumers by assuring a fair, just, and safe marketplace. This is done by independently and impartially testing products and publishing the findings publicly so that the public is able to make more informed purchasing decisions.

How, exactly, did Consumer Reports end up in the School of Engineering’s Internet Security Lab, and what does a coffee pot have to do with anything?

Derene was previously employed at the magazine Popular Mechanics and had built connections and sources while there. One of those connections is Dino Dai Zovi, a Hacker in Residence in the Computer Science and Engineering Department. After moving to Consumer Reports, Derene described how Vint Cerf—the vice president of Google, among other things—came to visit the organization and commented how there wasn’t an entity that was looking into the privacy concerns of smart devices, especially with the growing prevalence of the Internet of Things.

Consumer Reports decided to take up this challenge, but were not equipped with enough dedicated staff that knew code at the necessary level. They decided to turn to universities for assistance—and Derene used Dai Zovi as a contact. “We like dealing with academia,” said Derene. Consumer Reports also reached out to law schools, as “a good lawyer” is as important as someone who knows code where Internet privacy is concerned, according to Derene.

Three consumer-level products were brought into the IS Lab in order to be tested by students for privacy violations. Besides the coffee pot—which allows users to schedule when it brews with a smart phone or tablet—a child-grade tablet and the Amazon Echo were also brought in for testing. (The Amazon Echo is a voice-recognition device that is constantly connected to the Internet as it answers questions and performs tasks.)

Stations were set up to accommodate each item with a program, called Fishbowl, that captures any information sent to a router or WiFi network. The idea was to monitor the network traffic and see what the objects were talking to as well as what data specifically was being transmitted. The device’s communication history was sent to a nearby computer, set up as an access point and with a large cache of data to scroll through at any given time.

Dai Zovi was in charge of initializing the child’s tablet and got the ball rolling by setting it up for a make-believe child like a consumer would out of the box. In the process, Dai Zovi noted that, “All of this information is going through http, not SSL at all”—implying that names, birth dates, and other potentially sensitive information were not going through a secure online connection.

While figuring out how to hook the coffee pot up to Fishbowl properly, it was discovered that it was it’s own wireless access point, essentially allowing itself to connect to the Internet. “That’s scary,” a student commented.

These loopholes, however, are the reason they were brought into the lab to begin with. As objects become smarter, there must be more assurances of protection for the general public. “A person shouldn’t have to be a software engineer to know the safety standards of these products,” added Derene.