What's the Point in Hacking Toilets?

So…what’s the point in hacking toilets?

As I’m writing this blog, I just left the RSA Conference in San Francisco, where the IoT Village participates in the Sandbox. In case you don’t know, the RSA Sandbox is where multiple Villages set up areas to educate people on specialized areas of security risk, usually with hands on demonstrations. While I did several things at RSA, like attending talks about the psychology of Social Engineering, or visiting the expo hall, much of my time was spent at our Village chatting with people about ethical hacking, vulnerability testing, and lots of other security topics.

Here’s a photo of what we brought to the Sandbox for show and tell.

Yes, you saw that correctly. We brought a toilet to RSA (among other things). More specifically, we brought a Bluetooth connected toilet seat. Its name is Tim The Toilet. At least that’s what I call it. He’s a “smart” toilet seat, which pretty much means that it has some kind of connectivity. For the IoT Village, we love highlighting these kinds of devices, since they are becoming far more common in homes and businesses, whether they are properly secured or not.

The toilet was placed front and center at our booth, and we even got the lighting people to spotlight it with an appropriate white swirling light. Obviously, we wanted people to see it because it was unique and not what they expected. The only problem was that we usually got the same puzzled reaction as attendees walked up to us.

“Uh, so…what’s up with the toilet?”

I must admit I have a bit of a sarcastic streak, so people asking me what the deal with the toilet was brought many non-serious responses from me, like suggesting people use it from all the coffee they were drinking in the room, to me just claiming it was left in the middle of the room for no real reason at all, to intricate stories about how this was actually an old San Francisco historic landmark. But really, we had reverse engineered the seat.

We figured out how to issue commands from a mobile device to the toilet seat to change some basic functionality. Nothing too crazy, just changing the lights, or spontaneously activating the heated seat. We would show attendees how easy this was for us to do, along with similar kinds of demonstrations for a small vacuum robot, and Bluetooth enabled colored lights in a hands-on lab that anybody could do, even if they weren’t experienced in hacking. These demonstrations at IoT Village were visited by hundreds of attendees at RSA Conference each day, from experienced security professionals, to students, to people who only are curious about security as a subject. It was a lot of fun, both for the attendees and for us.

But even though this stuff is admittedly goofy, there is a broader point. Yes, it is a lot of fun and draws attention when you hack toilets, but we need to think beyond the toilet (Side Note: “Think Beyond The Toilet” is my schtick. Get your own catch phrase). What are the actual implications of us showing off funny things we can do with home electronic appliances?

As I mentioned earlier, these devices are omnipresent. I bet right now, even if you aren’t into technology, you probably have a few devices that have connectivity to them. Maybe it’s your thermostat. You could be reading this on your smartphone while you listen to music on the Bluetooth headphones you got on Amazon for $20. Or perhaps like my father you have a picture frame that connects to the Internet and automatically loads up pictures of your granddaughter that were sent to it by his daughter from her home. But keep in mind that IoT devices go beyond small appliances and fun gifts. They are used in our infrastructure to deliver public services, or as part of manufacturing processes, or bringing major functionality to most modern cars, and so on.

Think of some kind of product you used 20 years ago that was non-electronic. Now just use a little imagination on how connectivity to the Internet or other devices can enhance this product and, voila, you have an IoT device. It’s not a surprise that these devices are becoming more common because there are so many great use cases for them.

There is a flipside to this. To get this stuff to work, we must add computing hardware and software…the same hardware and software that has been targeted for decades by hackers (the unethical ones) to steal information from people, commit fraud and theft, attack governments, non-profits, and companies, and so on.

Some people have the attitude of “well, it’s cool that I can program my thermostat from my phone or check on my laundry when I’m out of the house, but I’m not doing it because I don’t want to be hacked”. Other people are easily swayed into quickly adopting IoT devices that, while functional, don’t have the user’s security interests in mind and are poorly designed, leaving them open for exploitation. Neither approach is particularly wise, and this leads me to why we hack toilets.

So what is the point in hacking toilets?

Many of these IoT devices are just a combination of a product you have used in the past, along with some kind of way to communicate and issue commands, usually to create new functionality that didn’t exist. There are some important implications to consider regarding hacking these devices.

• If you can intercept data (over Bluetooth, WiFi, etc.) on a toilet, there’s a good chance you could use a similar tactic to intercept other, perhaps more sensitive data, with smart devices that use this kind of technology, such as a wireless security camera, or perhaps a smart key that opens a door using wireless technology, or IoT devices in our critical infrastructure.
• While many think of hacking as negative, some ethical hacking could be used to find new purposes in devices that may have had limited purpose before. Indeed, many of the popular IoT devices on the market were created simply out of this kind of ingenuity.
• All things have vulnerabilities in them (even non-technical products), but it is important to understand the level of vulnerability. Sure, a toilet seat with limited functionality doesn’t have dramatic personal security implications, but if the toilet seat is secured in the same way as, say, a medical device that communicates wirelessly, the implications are dramatically different. If we can hack those devices as easily as the toilet seat, the consequences would be far more severe. Device security should exist with sensitivity of an asset in mind (pardon the pun). The only real way of knowing how secure something is requires testing.
• Along that same logic, it is important that ethical hackers and security researchers are discovering vulnerabilities first, before the wrong kinds of people discover something that can be exploited maliciously across the Internet on a variety of apps, devices and networks. In order to make the bad guys’ job hard, we have to be discovering vulnerabilities first and communicating with the broader community before major attacks occur that take advantage of vulnerabilities the security community is unaware of.
• The only way we are going to deal with the security implications of an increasingly connected world with more IoT devices is by teaching security analysts, hardware/software designers, CISOs, and others who are responsible for making sure assets are properly secured the right and wrong way to do things. When we perform our assessments at ISE and report on findings, we make sure that our clients understand the vulnerabilities we find, the Proof of Concept, and remediation strategies so that in the future, they are better able to protect themselves. This is the core mission of the IoT Village.

I admit, at ISE, when we do demonstrations, we are going for things that are at times provocative and outside the ordinary. But it’s not just for laughs and attention. The mission of securing technology is one of the major challenges we will face in our lifetime. We’ve done a great job as a society making technology work for us since the adoption of the Internet, but we can’t lose sight of the fact that this benefit requires us to be diligent in what products we adopt, how we track our sensitive assets, what security practices we follow, and understanding how we can be exploited by missing the mark.

I guess another way of putting it is that sometimes, if you want to protect your ass, the best place to start is to make sure you aren’t sitting on a hot seat. ZING!

Thanks for reading this blog! If you want to learn how to properly protect the assets that matter most to you, reach out to us for a conversation!  

I think these are not needed to be bullet points since they are so long. At the same time, I don’t think it is worth cutting them down, because what you say is important. I’d probably reformat to paragraphs.