While a robot vacuum is supposed to gather dirt, it may also gather pictures and blueprints of the house it cleans. A smart doorbell may be turned off right at the time when a homeowner wants a recording. Summer interns at the Department of Energy’s Oak Ridge National Laboratory recently dove into various smart devices to better understand cybersecurity vulnerabilities posed by technology meant to simplify a user’s life.
Smart devices allow a person to manage home electronics, such as lights, appliances or security cameras, through the internet. These items have gained popularity in the last few years for being inexpensive, easy to install and easy to manipulate from anywhere in the world. Commercial utilities are adopting similar devices to streamline security and monitoring for industrial facilities, potentially opening opportunities for an adversary to disrupt services to homes and businesses.
ORNL is poised to look at how different devices interface with a controller, such as a smart phone or “hub”, or with other devices in a network. This machine-to-machine communication is known commonly as the Internet of Things, or IoT. Laura Ann Anderson, a secure communications researcher at ORNL, mentors students in network security, device communication protocols and many other cybersecurity techniques used to build, protect and defend these devices and their networks. “The rush to be the first on the market with the newest connected feature often allowed vulnerabilities in systems to be overlooked in either the devices themselves or the protocols over which they communicate,” Anderson said.
This summer’s interns were the first class to open ORNL’s IoT lab, located in the Cyber Science Research Facility, for dedicated research into smart devices. Students chose what devices to research, including comparing signals sent from different robot vacuum brands, using inexpensive network discovery tools to acquire video game goods without paying and testing streaming quality of video security cameras.
“Utilities use sensors that work in similar fashion to residential smart devices,” said Colin Tarkington, a computer science sophomore at Pellissippi State Community College. “Sensors can monitor temperature and detect if doors are open. The companies that make smart devices are providing the utilities with sensors, and understanding the residential devices can lead us to infer how secure the utility’s systems are.”
Tarkington has been researching doorbell cameras to understand what information is sent over the internet. Overall, he was impressed with the encryption used to pass information. But some devices had a flaw that allowed a live feed to be turned off using a simple command to the device, leaving the door areas of a home unprotected.
Gage Slacum, a computer science undergraduate student at the University of Tennessee, Knoxville, learned through his ORNL internship that it was possible to use a $150 device available on the market in conjunction with information found online to acquire goods from companies or turn devices on in someone else’s house. “Open-source information can be used in ways that are against the intended use,” Slacum said. “These inexpensive gadgets can manipulate electronics owned by other people.” His research underlined the availability of inexpensive tools and the low barrier of entry required to disrupt an IoT network.
Abigail Baker, a master’s degree student at Dakota State University, used her summer internship at ORNL to investigate robot vacuums. She compared a U.S. and a foreign made product to understand what kind of information is released by a vacuum without the owner’s permission. She was surprised to find that robot vacuums continually search for IP addresses, even when the device is supposed to be idle overnight. “The U.S. brand talked to the outside world a lot. It was sending out many pings, but I couldn’t see what data it was sending.”
Baker’s college courses just scratched the surface of giving her knowledge needed to understand device security. “Even though I earned a degree in cybersecurity, I learned through this internship that smart devices aren’t as secure as they claim to be,” she said.
While many higher education institutes offer courses and degrees in computer science and cybersecurity, the student experience varies. Course offerings are inconsistent across programs, and hands-on opportunities are limited. ORNL seeks to enhance students’ exposure to IoT and cybersecurity knowledge by partnering locally with Pellissippi State Community College. Through a recent $5,000 donation by ORNL, PSCC intends to build an IoT lab on campus while ORNL expands its complementary lab to give students a range of perspectives on cyber vulnerability research.
“ORNL is dedicating tools and lab space to researching smart devices,” said Mat Singleton, an ORNL cyber security technical professional. “If our students find a vulnerability worthy of notifying the manufacturer, we show them how to do this, too. They learn ‘white hat hacking’ along with how to think about building a mechanism to protect against the vulnerability.”
Due to the varying nature of college degree programs regarding cybersecurity, Singleton is interested in mentoring students to be curious about connected devices and helping students develop the technical skills to investigate these devices. He wants students to understand the type of cyber they want to pursue as a career. For Singleton and his colleagues, that cyber includes ethical breaking and entering.
ORNL has a cybersecurity and resilience mission to develop innovative R&D capabilities to advance the science of cybersecurity, including cutting-edge, data-driven defensive cybersecurity architectures, technologies and evaluation methods.
UT-Battelle manages ORNL for the Department of Energy’s Office of Science, the single largest supporter of basic research in the physical sciences in the United States. The Office of Science is working to address some of the most pressing challenges of our time. For more information, please visit energy.gov/science. — Liz Neunsinger