Hacker plays Doom on a Canon printer

In 1993, Doom was a revolutionary, incredibly popular game. Today, it’s being used by hackers like Context Information Security’s Michael Jordon to demonstrate security flaws in connected devices.

Recently, a team of researchers successfully completed a four-monthlong hack that enabled them to access the web interface of a Canon PIXMA printer before modifying its firmware to run the classic ’90s computer game. During his presentation at the 44Con Conference in London, Jordon conveyed to the audience just how easily he could compromise the Canon machine – a popular fixture in many homes and businesses.

Jordon undertook the endeavor of getting the game to run the printer’s hardware in order to demonstrate the inherent security flaws present in today’s Internet of Things (IoT) devices. From the exploitation standpoint, hacking the machine was trivial, as the researcher discovered that the device had a web interface with no username or password protecting it, thus allowing anyone to check the printer’s status.

Upon initial glance, this interface was of little interest, only showing ink levels and printing status. However, it soon became apparent that a hacker like Jordon could use this interface to trigger an update to the machine’s firmware. The printer’s underlying code was encrypted to prevent outsiders from tampering, yet not secure enough to prevent knowledgeable hackers from reverse engineering the encryption system and authenticating their own firmware.

Subsequently, an outsider could have potentially modified the printer’s settings to have it ask for updates from a malicious server opposed to Canon’s official channel. What this means is that malicious hackers could access personal documents the printer was currently printing or even start issuing commands to take up resources. In a business setting, hackers could also have gained privileges into the network, on which to carry out further exploitation.

“If you can run Doom on a printer, you can do a lot more nasty things. In a corporate environment, it would be a good place to be. Who suspects printers?” Jordon explained to the Guardian. “All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context.”

Over the course of recent months, context has been exposing various flaws found in unexpected places, such as a connected toy bunny, a smart light bulb and an IP camera. Believe it or not, a Canon printer isn’t the only system Doom has run on. Earlier this summer, a team of Australians was able to get it running on an ATM, and last year, a crew of modders managed to convert a piano into a Doom machine.

“The maturity isn’t there.” According to the Guardian, Jordon doesn’t believe manufacturers of such smart technologies are giving enough attention to security.

“What this shows is that IoT means virtually anything with a processor and internet connection can be hacked and taken over to do just about anything,” says William Boldt, Atmel Senior Marketing Manager Crypto Products. “With cameras and mics on PCs, home alarms, phones, video game controllers like Kinect, and other things, just imagine how intrusive the IoT really can be.”

Trust is what security is really all about, especially in today’s constantly-connected, intelligent world. And, Atmel security products are making it easy to design in trust easier. By providing highly advanced cryptographic technologies including industry leading, protected hardware based key storage that is ultra-secure, especially when compared to software based solutions, Atmel crypto technologies offer designers the strongest protection mechanisms available so their designs can be trusted to be real, reliable, and safe. After all, a smart world calls for smarter security.

The Atmel® CryptoAuthentication™ family offers product designers an extremely cost-effective hardware authentication capability in a wide variety of space-conscious packages. CryptoAuthentication ICs securely validate a wide variety of physical or logical elements in virtually any microprocessor-based system. Atmel offers both symmetric- and asymmetric-key algorithm-based devices. By implementing a CryptoAuthentication IC into your design, you can take advantage of world-class protection that is built with hardware security fortifications like full active metal shields, multiple tamper detection schemes, internal encryption, and many other features designed to thwart the most determined attacks.

Jordon’s wider point is that the world is filling up with smart objects and devices. Though they often may not appear to be computers, they often have minimal security features guarding them against hacks. This is where Atmel can help.

Home is where the hack is!

Home smart home! While we already know that the smart home market is prepared to take the world by storm in the near future, the underlying concern is whether or not they will be secure. Industry experts are predicting that more than one in 10 of homes will be ‘smart’ by the end of this year — this compared to 17% of households in the U.S. and a global average of 5% — while the smart home trend is expected to double across 7.7 million UK homes by 2019.

Last month, NextMarket Insights forecasted that the U.S. smart home market would grow from the current $1.3 billion to $7.8 billion by 2019. With the market expanding so quickly, just how secure will these connected homes be? Furthermore, Acquity Group predicts that 69% of consumers will own in home IoT connected devices within the next five years. With that many smart devices entering our homes, how can we be so sure the personal data they possess will be kept safe?

According to a new Lowe’s Consumer Study on Smart Homes, half of Americans believe their homes will be more secure with the implementation of smart devices, while 46% of the same individuals polled also feel that the ability to monitor their home while away will improve their own peace of mind. In addition, another 29% think that smart technology in the home will provide them with better protection from fires, floods, and other emergencies.

While these statistics do provide hope for the future and the secure smart home, only 11% of these respondents see security as the deciding factor as to whether or not they would install smart devices in their home. Price, convenience, and the presence of a monthly fee all rank higher when it comes to buying consideration for these individuals.

Yet backdoors and other insecure channels have been found in a number of devices, leaving them susceptible to potential hacks and other cyber attacks. “Although the highly-touted hack of smart refrigerators earlier this year has since been debunked, there’s still no shortage of vulnerabilities in the emerging, so-called Internet of Things,” IEEE Spectrum reminds us.

While the idea of security seems to be on the minds of potential smart home consumers, the actual practicality of the technology seems to be a lesser concern. As evident by HP’s recently conducted study, a shocking 70% of IoT home devices contain security vulnerabilities. This not only impacts home consumers, but they found corporations also widely practiced insecure communications on the Internet and local networks.

With an increase backdoors and other insecure channels have been found in many such devices, opening them to possible hacks, botnets, and other cyber mischief. Although the widely touted hack of smart refrigerators earlier this year has since been debunked, there’s still no shortage of vulnerabilities in the emerging, so-called Internet of Things.

CIO of Prescient Solutions Jerry Irvine tells SecurityInfoWatch that, “Mobile devices have data that are stored on them, so all data is at risk if it is on those devices, whether it is the individual’s personal data or the company’s intellectual property. Additionally, there are user IDs, passwords and server names or addresses that are stored on there within applications.”

These simple security vulnerabilities could prove to be disastrous either in the home, or in the workplace, if exploited. To mitigate some of this risk, Irvine stresses that all connected devices in the home should be connected to a network separate from the user’s PC. “Every single wireless router, wireless access point or cable modem has the ability to do VLANs (virtual local area networks) today. Put all of those home automation systems on a VLAN that does not have direct access to or from the Internet.”

While the public may be ready to welcome IoT home devices into their lives, they may not be readily equipped with the know-how to secure them. With smart homes becoming the norm across the globe, users should educate themselves about potential security risks and ensure their personal data is safe.

“Our premise is that it’s not that easy to do embedded security right, and that essentially has been confirmed,” researcher Christoph Paar reveals. “There are very few systems we looked at that we couldn’t break. The shocking thing is the technology is there to get the security right. If you use state of the art technology, you can build systems that are very secure for practical applications.”

And while there will always be hackers out, Paar says smart engineering and present-day technology can stop most of them in their tracks. That’s why when it comes to securing our constantly-connected and smarter world, look no further than Atmel’s CryptoAuthentication family. These solutions not only provide home and building automation designers an extremely cost-effective hardware authentication capability, but will help offer you a peace of mind in your next-gen home.

Hardware key storage beats software key storage every time, which is one of the “key” lessons of the recent vulnerability revelations. But how does an embedded system manufacturer ensure their products are secure and protected from attack? Fortunately, the solution is simple, available, and cost effective, and that is to use hardware key storage devices such as Atmel’s ATSHA204A, ATECC108A and ATAES132.

Smart homes can provide unprecedented convenience and entertainment, but as our culture moves forward with this new technology, we should make sure we know how to utilize it best.