Book review: Abusing the Internet of Things, Blackouts, Freakouts, and Stakeouts, Nitesh Dhanjani

“Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts”
Nitesh Dhanjani
O’Reilly, August 2015
Softback, 23.3 x 17.8 cm (9.2 x 7 in), 17+274 pp., £33.50/$49.99
ISBN 978 1 491 90233 2
Available for Kindle (£25.80/$39.80), and as an O’Reilly Ebook ($42.99) from here, but not yet in the iTunes Store (UK).

If you have read anything about the Internet of Things (IoT), here or elsewhere, it is bound to have been about its huge security issues.

To many, I fear that such issues are beginning to sound like an industry sector crying wolf, forever trying to self-justify by scaring us. Alternatively it may all seem too difficult, and we continue to make purchase decisions regardless. This book is an excellent antithesis which should persuade you otherwise: if you think that Ashley Madison and other recent horror stories were bad, read this. You might just put your baby monitor back in its box, and disconnect other smart devices from your network. If you still can.

The first six chapters are extremely well-written technically explicit accounts of major IoT vulnerabilities, in real products. Dhanjani is careful to provide thorough accounts which are eminently readable, and should be understandable to all, but which can be glossed over quickly on an initial reading, if you wish.

However by providing the detail which he does, Dhanjani makes the vital point that attacking many IoT devices is not particularly difficult, and that many of the vulnerabilities are the result of staggeringly naïve design. These case studies, and some of the vendors’ responses when their vulnerabilities are disclosed, are the book’s greatest impact. You will repeatedly find yourself wondering how on earth any idiot implemented some of these IoT systems.

The examples include:

  • multiple vulnerabilities in the Philips hue lighting system, allowing an attacker to take control of the system, which the author researched;
  • multiple vulnerabilities in the Onity door lock, widely used in hotels, in those controlled over Z-Wave protocols, and Bluetooth LE such as the Kwikset Kevo;
  • multiple vulnerabilities in the Foscam and Belkin WeMo Baby monitors, and the Belkin WeMo Switch, allowing an attacker to take control;
  • vulnerabilities in the SmartThings IoT hub (now fixed), and in its interoperability with Philips hue lighting systems and the Belkin WeMo Switch;
  • vulnerabilities in smart TVs, particularly certain Samsung models, and hardware tools available to assess such systems, including the WiFi Pineapple Mark V;
  • a series of vulnerabilities in tyre-pressure monitoring systems and ECUs in various makes and models of vehicles, culminating in the Tesla Model S.

Each of these chapters is introduced by real-world examples which set the vulnerabilities into context, and there are multiple links, usually in the form of shortened addresses, to take you on to further reading and more.

Chapter 7 is a practical exercise in developing an IoT system using the cloudBit unit of the littleBits electronic kits. This allows Dhanjani to point out other pitfalls and problems which such systems face, in a very concrete way. This chapter concludes with a review of the most likely attackers, which includes a short account of the April 2015 hijacking of Tesla’s website and Twitter accounts. However the most significant of IoT vulnerabilities, those in connected websites, are not tackled in depth in this book.

The final two chapters, on future attack vectors and two hypothetical industry scenarios, are briefer and – because of their reliance on the hypothetical – somewhat less impressive. However they should be useful to Dhanjani’s main audience, of information security officers.

There are a few typos and editorial glitches, such as some unconverted markup at the start of page 247, and the occasional opaque sentence:
“It’s probably not a bad guess to say that our exposure to the attack surface posed by connected cars, especially as we head toward the world of fully autonomous vehicles, is bound to multiply should we not take considerable action now.” (p 191.)
However throughout the rest of the book we are spared surface exposure multiplication, and the text and code shown are lucid and illuminating.

My only real regret is that this book is so expensive, making its purchase by intelligent and enquiring consumers very unlikely. I hope that O’Reilly will invite Dhanjani to write a sequel for an even wider readership, priced more appropriately.