Reading “Click here to kill everybody” by Bruce Schneier and it really got me thinking about just how vulnerable we’ve become in respect of the reliance we have on internet connectivity combined with the proliferation of smart devices which make our lives easier.
With each passing day there are more “smart” devices coming on line which bring the consumers an unbridled feeling of control on their lives.
Ok, Google, I’m going home – what’s the traffic like? (This will help me get home quicker)
Ok, Google, I’m going home – turn the heating on. ( It’s dark and cold, now I can come home to a warm house and not waste heating)
Ring, ring – there’s someone at the door. Now you can see who and speak to them from the comfort of your office. (Chase away unwanted callers)
Let’s not forget the wireless door lock….
All of this can be achieved via the smartphone in your pocket.
Now, let’s reverse this convenience a little. Some crude searches via Shodan uncovered any number of wireless door lock systems which are accessible on the Internet (remember I still like the internet at this point)
Within 10 minutes, I’ve been able to find some ICS door entry systems and also some open Mosquitto systems.
What really scares me, is that it was very easy to find out that this particular system was in a two storey house that appears to be a home to two children , has a master bedroom and a back bedroom. The house has a wireless magnet door PIR/Contact. Don’t forget the dart board…. In addition to that, the house consumed internet from a well known Internet Service Provider/Cable Tv supplier.
Smart homes are fantastic as a concept, but, imagine what could happen if someone really wanted to exploit these systems. Let’s recap on what I found:
- 4 bedroom house
- children’s names,
- a nest presence device
- a door entry sensor
- ability to reverse the location based on IP address via their ISP
- don’t forget the dartboard
Based on the above, I have almost enough information to find out where this house is, understand how to get into the house, play a game of darts and maybe even steal their identity and being entirely convincing as I could verify address, ISP,
I’ve spent more time writing this up, than actually uncovering the information. That’s another scary thought. (I’m not liking the internet as much now. Are you ?)
Note- that I do not actually have malicious intentions, I’m posting this as an aspiring white hat.
A colleague of mines often says “Convenience eats security for breakfast”
I think he’s right…..