Abusing the Internet of Things

Author: Nitesh Dhanjani 
Publisher: O'Reilly
Pages: 296
ISBN: 978-1491902332
Print: 1491902337
Kindle: B013VQ7N36
Audience: Developers engaged in creating apps for Internet-connected devices
Rating: 4.5
Reviewer: Harry Fairhead

The subtitle - Blackouts, Freakouts and Stakeouts makes this book sound like a whole lot of fun. Is it?

Abusing the Internet of Things sounds like it might be a guide to hacking off-the-shelf hardware. A sort of how-to-change the way proprietary IoT devices work so you can repurpose them. It is important that you realize that this is not the intent of this book. It isn't really targeted at "hobby" hackers. 

What it is about is the terrible security that you find in most  IoT devices. It is a set of essays on how the security of a number of devices was cracked by the author with some help from the web. 

Banner

The book opens with a look at wireless light bulbs - the Philips Hue to be exact. The discussion starts with some off-topic discussion of blackouts and the power grid before it settles down to hacking the WiFi connection.

The problem is that we are given a description of the HTTP exchange between the web site and the lamps, but with no clue as to how the information was obtained. This is interesting, but it hardy equips the beginner to explore the security of other devices on their own.

The chapter explains various weaknesses in the system. The worst offence is the use of an MD5 hash of the user's MAC address to register with the site. A script is given that scans the MAC addresses on the local network and try them as tokens. When one is found the script switches the lights off in a loop - causing a blackout. There are lots of large, space-wasting, illustrations and pointless listings. If you can't program and have no idea what HTTP is all about you aren't going to get very far with this chapter or the rest of the book. 

If you do a search on the web you will find lots of articles on how to control the Hue from, say, an Arduino and these make use of much the same sort of information as presented in this book but without the "oh my god! Malware" type approach. 

Chapter 2 goes over the same sort of ground but with an electronic lock - the Onity door lock. In this case most of the defects were discovered by Cody Brocious and posted on line as a white paper. The second part of the chapter focuses on Z-wave door locks and again it reports research done by others. The final topic is Bluetooth locks and the Kevo lock in particular. 

Chapter 3 deals with hacking baby monitors and cameras. The Foscam incident is explained in detail and then the Belkin WeMo monitor is examined. Basically if you can get access to the local WiFi you can gain authorization and listen in from anywhere in the world. The analysis then moves on to the WeMo switch and the conclusion is that there really isn't any security. 

Chapter 4 is an analysis of the SmartThings home control system; Chapter 5 goes after "smart" TVs; and Chapter 6 deals with smart cars. The smart car chapter takes apart a tyre pressure monitoring system, looks at the weakness of the CAN bus and weaknesses of the Tesla Model S.

 

 

The remaining three chapters are on more general topics. Chapter 7 is how you can prototype IoT devices using littleBits and cloudBit. The suggestion is that this avoids having to create your own security. Chapter 8 is a philosophical discussion of the future of the IoT and hacking and the final chapter is another management oriented discussion of security.

As long as you are the right reader you will find a lot of interest in this book. You need to be warned that there are a lot of big pictures and fairly pointless listings that reduce the information density. You also need to be warned that this isn't a book that will teach you about the technology needed to hack these devices. You will also have to have sufficient understanding of web technologies to be happy reading HTTP exchanges. 

Abusingtheinternetofthings

If there is a single message to take from the entire book it is that currently our smart devices are being designed without much thought for security. This makes it fairly easy to hack them in ways that manufacturers never intended. In many cases the restriction of access to the local WiFi is enough to provide security, in the opinion of the manufacturers at least. Or it seems that the manufacturers never really considered that anyone might want to hack a device - baby monitors, for example - so didn't put security high up on the agenda.

If you are going to design an IoT device then this is a good source book for how other people did it wrong and it is probably worth reading just to find out what is not adequate security. 

Banner
 


Android Programming: The Big Nerd Ranch Guide (5e)

Authors: Bryan Sills, Brian Gardner, Brian Hardy and Kristin Marsicano
Publisher: Addison-Wesley
Pages: 688
ISBN: 978-0137645541
Print: 0137645546
Kindle: B09WLF84W7
Audience: Kotlin programmers
Rating: 4.5
Reviewer: Mike James  

The Big Nerd Ranch Guide to Android is bac [ ... ]



SQL Server 2022 Administration Inside Out

Author: Randolph West et al
Publisher: Microsoft Press
Pages: 992
Print: 0137899882
ISBN: 978-0137899883
Kindle: B0C4VKVP27
Audience: DBAs and developers
Rating: 5.0
Reviewer: Ian Stirk

This book aims to update your DBA skills to cover SQL Server 2022, how does it fare?


More Reviews

Visit Book Watch Archive for hundreds more titles.

Follow @bookwatchiprog on Twitter or subscribe to I Programmer's Books RSS feed for new additions to Book Watch and for new reviews.

 

 

Last Updated ( Friday, 28 July 2017 )