Smart Outlets. Why We Need Responsible Disclosure!

Presented at VB2016, Oct. 7, 2016, 9:30 a.m. (30 minutes)

The world of IoTs has grown enough in the last year to be considered a possible a field where security will represent a concern in the near feature. While many IoT producers decided to focus on a very specific aspect (such as creating a smart watch, a smart LED, a smart car, etc.), some of them chose to be involved in producing IoT devices that could, in theory, be used with many other already existing (non-smart) devices.

The most well known from the latter category are power outlets. Even if their functionality is quite simple (basically allowing one to start or stop the power remotely), the security concerns around them are significant. For one, the basic idea in these cases is to be able to control the power for your devices remotely. Remotely in this context often means being able to control the device from an Internet server and not from within your own intranet. Secondly, most of these devices market themselves as being able to conserve energy by shutting themselves down when the device that they are powering no longer needs to run. Because of this, it's likely that in the near future such devices will have a broader use (not only in the consumer market but in industry as well).

This paper presents research done on 10 different smart outlets emphasizing their vulnerabilities, different attack vectors that can be used to control them and also different aspects related to their Internet connection that a hacker might exploit. Last but not least, we will discuss possible situations where using an insecure outlet can have serious consequences in different industries (medical, administration, etc.) and the need for responsible disclosure to mitigate these cases.

Presenters:

• Ciprian Oprisa - Bitdefender
  Ciprian Oprișa Ciprian Oprișa is a team lead in the Antimalware Lab at Bitdefender, where he performs reverse engineering on malicious applications and develops new technologies for heuristic malware detection and for fighting network-based threats. He recently obtained his Ph.D. at the Technical University of Cluj-Napoca, where he proposed new solutions to fight security threats, based on machine learning techniques. He has been working in the security industry for more than six years.
• Dragos Gavrilut - Bitdefender
  Dragoș Gavriluț Dragoș Gavriluț is an anti-malware research manager at Bitdefender, managing a team of 80+ people that develops heuristic detections, cloud-based services, system testing services, disinfection routines, Android and iOS analysis, event correlation algorithms, data mining, IoT and cybersecurity analysis. He is also a lecturer at the Alexandru Ioan Cuza University of Iași, where he received his Ph.D. in 2012, with the thesis entitled 'Meta-heurisics for Anti-Malware Systems'. He received his B.Sc. and M.Sc. in computer science from the same university, in 2004 and 2006, respectively.
• Radu Basaraba - Bitdefender
  Radu Basaraba Radu Basaraba is a researcher at Bitdefender where he analyses smart devices trying to find vulnerabilities in them.
• George Cabau - Bitdefender
  George Cabău George Cabău is Technical Project Manager at Bitdefender where he coordinates a research and development team for malicious threats, sandboxing solution, network intrusion detection and IoT security. He is a computer science graduate from the Technical University of Cluj-Napoca, where he also preparing for his Ph.D.

Links:

• https://www.virusbulletin.com/conference/vb2016/abstracts/smart-outlets-why-we-need-responsible-disclosure

Similar Presentations:

• May Contain Hackers (MCH2022) / A Smart Light Hacking Journey
• 33C3 (2016) / On Smart Cities, Smart Energy, And Dumb Security
• 33C3 (2016) / Lockpicking in the IoT: ...or why adding BTLE to a device sometimes isn't smart at all