The Black Hat conference has long been the security conference where speakers announce fairly frightening breaks in security. In the past, a lot of the energy went into targeting desktop and mobile operating systems, along with a steady stream of ways to convert the uncharted territory in widely used internet protocols into “weaponizable” exploits.

As one might expect, the past couple of years have seen significant expansion in sessions featuring IoT insecurities. By and large, the researchers presenting the IoT sessions are focused on the hardware that constitutes the “thing” in the equation; these are devices ranging from hotel door locks to the programmable logic controllers (PLCs) that control most of the industrial world’s equipment. It won’t comfort you to know that these sessions have tended to be an exercise in shooting fish in a barrel. This year, if anything, was bigger fish shot with higher-caliber loads.

Bluetooth decay The takeaway for the IoT world is that using the security you have available — turning the security features on — is a good place to start. When Slawomir Jasek, a researcher at SecuRing in Poland, showed several attacks on devices using Bluetooth Smart for their connection with the world, he noted that eight in 10 of the devices he looked at didn’t implement the bonding and encryption offered in the standard. Instead, the products either had no security or implemented application-level password systems and safeguards, to predictable effect. He offered the world a tool that enables researchers (and hackers) a way to insert a device (a Raspberry Pi in Jasek’s case) running a proxy between, say, a car owner with a smartphone and the car with a Bluetooth-controlled lock. Even without a complete break in the system, numerous attacks may still be launched. In some cases, for instance, locks can be reset such that even the correct Bluetooth application can’t open them.

Access one bit and you win In a separate session examining the fragility of security where “thing” hardware is concerned, researcher Joe FitzPatrick of SecuringHardware.com pointed out the obvious: If an attacker can change the value of a bit at the hardware level, then all the software protections in the world won’t help you. When the critical logic branch at the software level is processed, the value in the comparison — authorized or not — will be controlled by the attacker from a level below. There are many ways in which the basic idea can be illustrated, but one obvious way is to just access the JTAG port that’s left available on the printed circuit boards of so many devices. An attacker with physical access to a PLC on a factory floor needs only a minute to insert a device that can provide, for example, remote radio access to the JTAG port. It’s arguably a little far-fetched, but the part that’s unlikely is the physical access, not the electronics or the availability of JTAG ports on PLC circuit boards.