An IoT hackathon recently exposed security flaws in the automated systems and devices that are part of a connected home. During the event, held in November at Alcatel-Lucent’s Innovation City outside of Paris, nearly 40 students and professionals competed to find security holes in various devices common in the Internet of Things, including hubs, locks, bulbs, and detectors.
Corporate participants and observers coming from 20 companies were given the opportunity to witness the hackers' exploits first-hand.
“HACK THE HOME” TIMELINE
During this hackathon, 10 scenarios were tested by 8 participating teams. Each mission corresponded to a connected device to be hacked by exploiting its security vulnerabilities.
|17:00||Arrival and welcome.|
|18:30||“Hack the Home” IoT hackathon begins.|
|19:01||First mission is completed. The goal of this scenario was to gain access to a room secured by 2 household hubs without being detected. Participants had to cut the power in order to switch off the hubs, as an intruder might do. After that, they could enter the room, but were still detected. Why? Because one of the hubs had a battery and a 3G dongle that let it work even though the power was out.|
|19:18||A technical problem at the bar— consisting of 15 hubs and 15 lightbulbs. The goal was to crack the security of a hub in order to access its interface and switch on a lightbulb. Within a few seconds, the lightbulbs begin to light up one by one. Why? A participant had a hacking tool that let him easily take control of devices. A huge number of household devices can be hacked in seconds if the attacker has the right tools.|
|20:00||Observers discuss the proceedings, swap business cards, visit the installations, and enjoy the buzz.|
|21:20||The hackathon holds a 3-minute silence in memory of the 129 victims of the November 13. To commemorate them, the Device IOT Excellence Center's bays are lit up in red, white, and blue.|
|23:24||Second mission is completed. This time, the goal was to take control of a Wi-Fi network in order to become an admin for a surveillance camera.|
|1:30||Very few missions have been completed. Are these devices more secure than we thought? Some hackers have decided to sleep for a few hours, while others prefer to stay at their keyboards all night.|
|2:04, 2:39, 2:40, 2:46||In less than an hour, 4 missions are completed! 1: A team successfully takes control of some smart lightbulbs to reproduce a specific lighting sequence. 2: A team takes control of a multimedia hub to get hold of the plans and codes for a safe that’s stored on the network. 3: A team takes advantage of security holes in a phone to download home hub details – and move a certain object without being detected. 4: A team attacks the hubs at the bar. All the teams now turn to this particular challenge, and just 1 hub survives our hackers' attacks.|
|3:45||After multiple attempts, a team manages to penetrate the panic room — equipped with a hub, a door sensor, a motion sensor, and an alarm. To get in, the attackers had to create interference that disrupted communications between the different sensors and the hub. Once the communications were neutralized, it was easy to get into the room and steal its contents.|
|6:30||John Haqzyhom, the event mascot, gave away too much information on his Facebook profile. Hackers use his information to construct a dictionary attack to work out the household hub's password. Without protection, the software could easily give access to the hackers.|
|7:18||A team carries out some identity theft by making a mock login screen to capture the user ID and password when the user types them in. This leaves the hackers with unrestricted access to the home's system.|
|8:07||Sunrise at "Hack the Home", and just under 9 hours remaining.|
|10:20||A team succeeds in creating a z-wave sniffer that can take control of various objects. The ultimate weapon in subverting all household systems.|
|13:00||We stop for lunch before getting back to neutralizing home systems.|
|15:37||A few participants start up a game of table soccer before taking on their final mission.|
SECURITY: THE STAKES ARE HIGH
A smart home is equipped with various fixed or mobile sensors, connected to the Internet and accessible locally or remotely.
But what happens if a component is not secure? What are the risks to users? What are the impacts on other connected devices in the house? What opportunities does this offer to hackers?
Taking control of the home's virtual brain
In order to work, a connected home system needs a brain, which is usually a hub. This centralizes all of the data from the different sensors. If the hub malfunctions or is down, the system is disabled. It’s the ideal way for an intruder to enter your home without being detected.
Breaking into the network
To interact remotely with your various household devices, they need to be connected to the Internet (directly or indirectly). This makes them vulnerable to potential attacks. If a device has a security hole, it could become a back door to your entire network. And once inside the network, it's easy for hackers to get all of the information they want (documents, confidential information, etc.).
Spying on someone
Household devices record a lot of data about our homes: movement, temperature, light, noise, etc. By accessing this data, hackers can discover the smallest details and habits about someone without even having access to a camera. So you can say goodbye to your privacy. And monitoring the movements of members of the household becomes simple for someone who wants to plan a break-in, for example.
In a related hackathon last summer, students were able to test and break security cameras.
The aim of this latest ethical IoT hackathon was to highlight the hidden dangers in certain commercial products. After the hackathon, participants were saying "But we haven't finished; there are still some devices we haven't hacked — we want to carry on!"
So we’re already thinking about a new hackathon, still in partnership with schools and businesses, to expand the work of “Hack the Home” in its labs.
Through its "Device IOT Excellence Center",Alcatel-Lucent's mission is to develop an ecosystem of businesses, schools, and institutions that will work together to develop tomorrow's connected world — a smart world where humans are in control of their private lives.
Our authors look forward to your questions and comments.