ORNL’s IoT Lab hosted summer interns tackling vulnerabilities in everyday technology
Summer interns at the Cyber Science Research Facility at ORNL worked on various smart devices including thermostats, multicontrols, and switches.
After carefully navigating their way through a year of college or the military, a group of interns at the Department of Energy’s Oak Ridge National Laboratory had license to move fast and break things this summer. The Cyber Science Research Facility’s Internet of Things (IoT) Lab is a testbed for better understanding vulnerabilities in the smart devices people use daily, including routers, thermostats, light bulbs, and signal boosters.
Interns gained practical experience that will inform careers in cybersecurity while contributing to ORNL research aimed at protecting consumers and critical infrastructure.
“I’ve learned more this summer than I think I have in a year and a half of college. There are so many different things you can do, and it opens a whole new world of stuff that you’re not really allowed to do outside of a lab environment, especially in cybersecurity. It’s not like you can actively try to find vulnerabilities in items unless you own them. And even with that, it’s not really safe to do.”
Army veteran Arius Largin joined ORNL through the Department of Defense SkillBridge program, which helps service member transition to civilian careers. He previously worked in system administration work over the last few years in the Army and hopes to continue in that field. This summer, he worked on hacking a device that improves bandwidth speeds. To do so, he broke it down to board level and implemented code to extract and attack the device’s firmware to access device security features and disable the connection.
Largin said understanding the device’s vulnerabilities could help improve awareness and decision-making for consumers looking to boost their connection speeds and for the manufacturer who may need better device security.
He said his time at ORNL has afforded opportunities like this he didn’t have previously.
"Since I’ve been here, I’ve been doing things I wouldn’t get the chance to do within the military because there’s so many regulations and security protocols that they wouldn’t allow me to go down to the board level," he said.
I’m so used to doing things a certain way so trying to break that habit to basically having free range to do whatever I want here, it’s a big stepping stone. So far I’ve enjoyed my time here, being able to experiment with different things and improve my skills.
Ashlyn Cornelius is originally from East Tennessee, but she left the state for a military career, becoming an all-source intelligence analyst for eight years with the US Air Force and Space Force and gaining skills in computer science. Now, she’s back home and transitioning out of military service through the Department of Defense SkillBridge program.
“I wanted to come here and learn some cybersecurity skills,” Cornelius said.
And learn she has. Cornelius used an X-ray machine to uncover obscured connections in a smart thermostat, helping identify vulnerabilities that may not have been found through conventional electrical testing.
“If you’re able to find some of those vulnerabilities and let the manufacturer know, they can release a patch so (an attacker) is not able to exploit them.”
Brogan Oberhaus entered the IoT lab as a high school intern and said he wants to do research and development after college so he can break things professionally. Oberhaus worked on hacking an IoT hub by writing a script to automatically detect the password and reboot the hub. He then pulled backups off the hub, and shut it down remotely. Oberhaus noted he didn't even need the password to do this as long as the user is connected to the network. For end users, this means a nefarious person could connect to home WiFi and disable all IoT devices on the network.
I just like taking things apart and figuring out how they work. Cybersecurity is perfect for that because you can tinker with things, break things, and it’s like a puzzle.