Security Sense: If You Program It, They Will Break It: How Connecting Things Can Make Them Worse

I saw a couple of news pieces this week that serve as a pretty good reminder as to the inherently fallible nature of anything that runs a microprocessor. Yes, yes, everything needs to be “smart” or “connected” because convenience and point of difference on the market, but does this actually improve the product? Or compromise its very reason raison d'être?

The first one I came across was the connected sniper rifle. That’s right: apparently you can get your hands on a high powered weapon which can then be connected to via wifi using a default password which grants the attacker access to APIs running on the gun’s “server” that then enables them to change targeting variables. Whoa!

Clearly, this could be bad news because firstly, it’s a gun an attacker can control and secondly, the whole idea of a sniper rifle is precision. Technology could improve the function of the rifle, but it can also compromise it in ways that were never possible with the non-smart rifles of yesteryear.

The other one that popped up is the Brinks CompuSafe “smart safe”. These are a very modern interpretation of your classic heavy duty safe and they’re complete with digital touchscreen (ok, not so bad), internet connectivity (this is where the alarm bells start ringing), Windows XP embedded (uh oh) and drumroll… a USB port. The researcher who had a play with the safe found he could connect to the USB port and, well, here’s how he explains it:

“There is a full operating system…that you’re able to…fully take over…and make [the safe] do whatever you want it to do.”

But it’s a safe! The thing is even named “safe” yet here we have a guy plugging into an exposed port and making the whole thing entirely unsafe! He goes on to explain that he needs all of 60 seconds after “plugging in his little gismo” and the door swings open exposing the booty within.

Software running in everyday real world things is exposing risks we simply never had to deal with before. LIFX lightbulbs could give attackers access to the wifi credentials of the network they were on. The Lixil Satis connected toilet (oh yes, there is such a thing) could allow an attacker to “activate bidet or air-dry functions, causing discomfort or distress to user”. You’d never see these attacks coming; I mean you wouldn’t turn around after discovering an attacker on your home network and say “Oh my, I wonder if my lightbulbs are to blame” and as for an attack on the Lixil Satis, I imagine the reaction of the victim wouldn’t really be suitable for putting into print.

I can’t help but look at all these things and wonder if the technology has made them better or if in fact it’s actually made them inherently flawed at what they were designed to do in the first place.