Famed Hacker: IoT Is Exploitable

Clad in a blue suit and conservative necktie, Kevin Mitnick no longer looks the part of the precocious teen who started hacking into computer systems while still in high school. But when asked if any system is unhackable, there's a youthful gleam in his eyes.

"I don't know any system out there that's impenetrable," Mitnick told an audience of about 1,500 engineers at the Freescale Technology Forum (FTF) in Austin, Texas this week. "In our experience, when we are hired by clients to attack their systems, our success rate is 100%."

Mitnick, who bills himself as "the world's most famous hacker," knows about computer vulnerabilities. His resume is replete with conquests of 40 major corporations. He once had the dubious distinction of being on the FBI's Most Wanted list, and spent prison time in solitary confinement because prosecutors feared he could break into NORAD computers from his cell and launch nuclear missiles.

At this week's FTF conference, Mitnick focused on the growing influence of the Internet of Things (IoT), and the possibility of such applications being easily compromised. He suggested that the IoT has many of the same issues that now face corporate computer networks. Lack of encryption, authentication weaknesses, and password reset problems are just as likely to compromise the security of IoT applications, he said.

"Those same vulnerabilities exist in the IoT," he said. "If I want to get information from a device, all I have to do is go out and buy one, and then extract the firmware."

MORE FROM DESIGN NEWS: 4 Steps to Securing the Smart Plant

Mitnick said he used that methodology recently after his company,Mitnick Security Consulting, was hired by a well-known chain of gas stations to examine their payment security. He first found vulnerabilities in the company's web interfaces. Then he bought one of its payment devices over e-Bay, extracted the firmware, and easily downloaded a slew of credit and debit card numbers.

The gist of Mitnick's message was that it's not difficult for hackers, even young ones, to compromise the security of the biggest corporations. Asked about his favorite hacks, Mitnick recalled a teenage prank 30 years ago in which he took over a drive-through window at a local McDonald's. "Customers would drive up and I'd take their orders," Mitnick recalled. "I'd say, 'You're the one-hundredth customer, so you get your order for free.'"

MORE FROM DESIGN NEWS: Cyber Attacks Fuel Security Innovations

Although most businesses are more savvy about security today, the consequences can be far more dire, and the possibilities more widespread. According to a forecast from Gartner Inc. there could be as many as five billion IoT devices online in 2015, in applications ranging from industrial sensor networks to home appliances to utility control systems. And that number could grow to 20 billion by 2020, creating a huge opportunity for determined criminals.

Those facts were apparently not lost on engineers, who lined up to speak to Mitnick and get his business card after the conference's keynote speech. "People need to know," he explained. "The IoT is exploitable, just like any other device."

Senior technical editor Chuck Murray has been writing about technology for 31 years. For Design News, he has covered electronics, automation, fluid power, and autos. He wrote his first article about electric cars in 1988.