My most recent book, Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts, has been reviewed by the awesome Cory Doctorow at BoingBoing:
“The book is written in a spritely, writerly fashion, with many grace notes and interesting case studies -- including an account of how you could use someone's hacked email account to steal their Tesla automobile.
This book is a marvelous thing: an important intervention in the policy debate about information security and a practical text for people trying to improve the situation”.
I’m honored by Cory’s review!
Here are brief descriptions of the chapters:
Chapter 1: Lights Out—Hacking Wireless Lightbulbs to Cause Sustained Blackouts
The book begins with a deep dive into the design and architecture of one of the more popular IoT products available in the market: the Philips hue personal lighting system. This chapter presents various security issues in the system, including fundamental concerns such as password security and the possibility of malware abusing weak authorization mechanisms to cause sustained blackouts. We also discuss the complexity of internetworking our online spaces (such as Facebook) with IoT devices, which can lead to security issues spanning multiple platforms.
Chapter 2: Electronic Lock Picking—Abusing Door Locks to Compromise Physical Security
This chapter takes a look at the security vulnerabilities surrounding existing electronic door locks, their wireless mechanisms, and their integration with mobile devices. We also present actual case studies of attackers who have exploited these issues to conduct robberies.
Chapter 3: Assaulting the Radio Nurse—Breaching Baby Monitors and One Other Thing
Security defects in remotely controllable baby monitors are covered in this chapter. We take a look at details of actual vulnerabilities that have been abused by attackers and show how simple design aws can put the safety of families at risk.
Chapter 4: Blurred Lines—When the Physical Space Meets the Virtual Space
Companies like SmartThings sell suites of IoT devices and sensors that can be leveraged to protect the home, such as by receiving a notification of a potential intruder if the main door of a home is opened after midnight. The fact that these devices use the Internet to operate has increased our dependency on network connectivity, thereby blurring the lines between our physical world and the cyber world. We take a look at the security of the SmartThings suite of products and explore how they are designed to securely operate with devices from other manufacturers.
Chapter 5: The Idiot Box—Attacking “Smart” Televisions
Televisions today are essentially computers running powerful operating systems such as Linux. They connect to the home WiFi network and support services such as watching streaming video, videoconferencing, social networking, and instant messaging. This chapter studies actual vulnerabilities in Samsung branded TVs to understand the root causes of the flaws and the potential impacts on our privacy and safety.
Chapter 6: Connected Car Security Analysis—From Gas to Fully Electric
Cars are also “things” that are now accessible and controllable remotely. Unlike with many other devices, the interconnectedness of the car can serve important safety functions — yet security vulnerabilities in cars can lead to the loss of lives. This chapter studies a low-range wireless system, followed by a review of extensive research performed by leading experts in academia. We analyze and discuss features that can be found in the Tesla Model S sedan, including possible ways the security of the car could be improved.
Chapter 7: Secure Prototyping—littleBits and cloudBit
The first order of business when designing an IoT product is to create a prototype, to make certain the idea is feasible, to explore alternative design concepts, and to develop specifications to build a solid business case. It is extremely important to design security in the initial prototype and subsequent iterations toward the final product. Security as an afterthought is bound to lead to finished products that put the safety and privacy of the consumers at risk. In this chapter, we prototype an SMS doorbell that uses the littleBits prototyping platform. The cloudBit module helps us provide remote wireless connectivity, so we can prototype our IoT idea to send an SMS message to the user when the doorbell is pressed. Discussion of the prototype steps through security issues and requirements considered when designing the prototype, and we also discuss important security considerations that should be addressed by product designers.
Chapter 8: Securely Enabling Our Future—A Conversation on Upcoming Attack Vectors
Over the next few years, our dependence on IoT devices in our lives is bound to skyrocket. In this chapter, we predict plausible scenarios of attacks based upon our understanding of how IoT devices will serve our needs in the future.
Chapter 9: Two Scenarios—Intentions and Outcomes
In this chapter, we take a look at two different hypothetical scenarios to gain a good appreciation of how people can influence security incidents. In the first scenario, we explore how an executive at a large corporation attempts to leverage the “buzz” surrounding the topic of IoT security with the intention of impressing the board of directors. In the second scenario, we look at how an up-and-coming IoT service provider chooses to engage with and respond to researchers and journalists, with the intention of preserving the integrity of its business. The goal of this chapter is to illustrate that, ultimately, the consequences of security-related scenarios are heavily influenced by the intentions and actions of the people involved.