Centered around the meeting room table, a group of students worked late into the night to hack the security of household items. Led by Cybersecurity Club advisor and Capture the Flag team member George Osterholt, and hosted by IU’s Security and Privacy in Informatics, Computing, and Engineering (SPICE) center, these students were busy with their part of the first IoT House Hackathon. They were trying to breach devices, gain unauthorized access, or otherwise cause trouble – all in the name of improving system security.
The IoT House is SPICE’s research center for Internet of Things (IoT) smart devices which have swiftly come to permeate our homes and lives with access to private spaces and personal data. With increasing frequency hackers both breach vital national systems and steal individual’s personal data, all via IoT devices. The mission of the IoT house is to identify and improve system security within the Internet of Things.
Supported by the 5 year National Science Foundation grant Living in the Internet of Things, and working in collaboration with partners at the University of Washington, the IoT house is a residential home segmented away from IU’s main network. It houses graduate research students working on home products such as smart doorlocks and crockpots. These are tested for system security as well as for users understanding of their privacy and safety when using such technology. In the house’s first year of operation, a pre-collegiate student won the IEEE IoTD research poster contest for her research in compromising the camera in toy teddy bears in order to stream the video wirelessly.
The IoT house’s work has drawn attention both internally at IU as well as externally. Outreach efforts to educate families and K-12 teachers about personal safety and mitigation strategies have been held around the state. The IoT house staff has also offered lectures to security students and staff on campus.
The IoT House Hackathon is another element used to help spread the skills and knowledge for safety to undergraduate students at both Indiana University and our partner the University of Washington. Drawing from both IU’s security club and students who have seen SPICE’s IoT guest lectures in their classrooms, the event is co-hosted at both schools. Consisting of one night of practical hacking lessons and target planning with a followup night of actual hacking, students are presented with a hands on project that is a first experience for most of them.
In addition to George Osterholt, students were led by SPICE project manager, Joshua Streiff. Both experienced technicians, the pair carefully picked a variety of targets which would present students with levels of difficulty ranging from somewhat challenging to very difficult. According to Streiff:
Many of these students have no initial experience in breaking into devices and systems. They need three things to start with: our permission and support in hacking, some basic skills and knowledge for the task, and a person to sit with them and guide them along. That is what the Hackathon provides.
As this was the inaugural event, the students had concerns that they would be able to learn and completely explore attacks. Breaking into groups, the students began their work. One target that was expected to be a simpler target: the smart lock, was found to be a greater challenge than expected due to recent updates to the device.
The door lock manufacturer implemented three defense updates against attacks that had previously worked. On the positive side for users, the device is more secure now. On the negative side, the defenses are crude and create a nearly unusable product for users simply trying to use the product as intended. So while an attacker is not going to be able to easily open your door, then again, neither will you – even with the passcode.
Students did have success. While setting up the smart crockpot, students found a weakness that allowed them to move horizontally in the house network and take over the lights in the offices. While that was not too surprising, the fact that they could maintain that control after they left the building and moved across networks was very concerning to Joshua Streiff.
We gave them 5 targets, so they took a sixth. I expected them to hack the crockpot in some fashion, but did not expect them to use it to take the lights in my office. However, this is exactly what the IoT house was made for – controlled and ethical hacking in a residential research environment to discover security holes and work to fix them.
The IoT house plans to continue holding Hackathons each semester. In addition to student Hackathons, SPICE has formed IU’s first Capture the Flag team which competes nationally as well as created the Cyberdefense Competition course which was offered for the first time in spring 2018.