On Distrusting Your Toaster and Other Tiny Dystopias

Close to 16 years ago, Matt Devost, Brian Houghton, and Neal Pollard warned you not to trust your toaster. The title referred literally to computer-connected toasters and more broadly at the problem of security vulnerabilities in a networked world. Since then, the cybersecurity world has focused more narrowly on corporate and government network security and critical infrastructure protection. But Devost’s paper was about the wider world of danger represented by the networking of more and more systems–including the humble toaster.

Ars Technica has an interesting story on a new bug discovered in high-def Samsung TVs:

[The] bug, found in a wide range of high-definition TVs from Samsung, was disclosed on Thursday by Luigi Auriemma, an Italy-based researcher who regularly finds security flaws in Microsoft Windows, video games, and even the industrial-strength systems used to control dams, gas refineries, and other critical infrastructure. While poking around a Samsung D6000 model belonging to his brother, he inadvertently discovered a way to remotely send the TV into an endless restart mode that persists even after unplugging the device and turning it back on. The TV was connected by ethernet cable to a home network, so Auriemma thought it would be funny to use a computer connected to the same network to send it a message that contained a series of custom headers. Without warning, the TV spiraled into an endless loop of restarts. For about five seconds, the device would appear to work correctly, but then would stop responding to commands entered by remote control or through the panel. A few seconds later, the TV would restart and repeat the process. Unplugging the power cord or ethernet cable did nothing. Auriemma had just stumbled upon a crippling denial-of-service attack. Auriemma said he sees no reason the attack couldn’t be carried out over the Internet if the TV had a public IP address and used no filters.

A similar bug was discovered in Sony Bravia TVs with the hping networking tool. A researcher was able to use hping to disrupt basic operations fairly easily. Of course, the exploit described is not really that significant in and of itself. But it is a harbinger of a larger trend we have written about at CTOVision: the security problems of a post-computer and possibly post-device ecosystem. More and more devices are becoming networked and thus vulnerable to exploits. And why would they not be? They are being designed with convenience in mind. But the Internet itself is really only the beginning, not the end, of where everyday vulnerabilities exist and may exist in the future.

Samuel Liles has also pointed out the degree to which present thinking ignores the Internet of Things. The protocol J1939 as part of the CANBUS standard connects cars to features of the Internet but not the Internet itself, for example. A recent report also found a range of plausible external automobile attack vectors ranging from the ODB-II port common in many modern automobiles to long-range wireless digital access channels.

From the perspective of everyday personal security and corporate security, these may be more pressing than whatever Chinese or Russian hack is on the news. Existing and future vulnerabilities in basic, everyday devices—especially when so many of them are or will be networked to the Internet–are a pressing problem that has yet to receive the attention they deserve.

Original post

Leave a Comment


Leave a Reply