Vulnerabilities / Threats
8/27/2014
12:00 PM
David Jacoby
David Jacoby
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How I Hacked My Home, IoT Style

It didn't take long to find a score of vulnerabilities in my home entertainment, gaming, and network storage systems.

Very often new terms get over-hyped in the IT security industry. Today, as we all look to find out more about the Internet of Things, the typical residence can easily have five devices connected to a home network that aren't computers, tablets, or cellphones. As users in this connected environment, we need to ask ourselves "What's the current threat level?" and "How vulnerable am I?"

Most people know what a computer virus is, that we should have strong passwords, and that it's important to install the latest security patches. But many of us (even those with an IT-security mindset) still focus primarily on protecting our traditional endpoints and forget that there are other devices connected to our networks.

For this reason, I decided to conduct research that would identify how easy it would be to hack my own home. Are the devices connected to my network vulnerable? What could an attacker actually do if these devices were compromised? Is my home hackable? I determined to look for real, practical, and relevant attack vectors to see whether it was.

During my research I focused on all the "other" devices I have connected to my home network: a smart TV, satellite receiver, DVD/Blu-ray player, network storage devices, and gaming consoles. Before I started, I was pretty sure that my home was pretty secure. I mean, I've been working in the security industry for over 15 years, and I'm quite paranoid when it comes to such things as security patches.

As I started my research, it didn’t take long to figure out just how easy it was to find vulnerabilities in all of the systems. I managed to find 14 vulnerabilities in the network attached storage, one vulnerability in the Smart TV, and several potentially hidden remote control functions in the router.

The most severe vulnerabilities were found in the network-attached storage, several that would allow an attacker to remotely execute system commands with the highest administrative privileges. The tested devices also had weak default passwords; lots of configuration files had the wrong permissions; and they also contained passwords in plain text.

When I investigated the security level of the smart TV I discovered that no encryption was used in communication between the TV and the TV vendor’s servers. I was able to replace an icon of the Smart TV graphic interface with a picture, showing the potential for a man-in-the-middle style of attack. 

The DSL router used to provide wireless Internet access for all other home devices contained several hidden dangerous features that could potentially provide the Internet service provider remote access to any device in my private network. The results were shocking, to say the least.

What I found from my research is that we need to assume that our devices can be, or are already, compromised by attackers who can gain access to them. This applies to consumers as well as companies. We need to understand that everything we connect to the network might be a stepping stone for an attacker.

We also need to understand that our information is not secure just because we have a strong password or are running some protection against malicious code. It took me less than 20 minutes to find and verify extremely serious vulnerabilities in a device considered to be secure.

As a community, we need to come up with alternative solutions that can help individuals and companies improve their security. Even though the home entertainment industry might not be focused on security, with just a few simple tips we can all raise the security level a little bit higher. As a side note, all vulnerabilities have been reported to the respective vendors, and they're working on solutions for these products.

Click here for more details on David’s research.

David is a Senior Security Researcher for Kaspersky Lab, with 15 years of experience working in the IT security field. He is responsible for not only research but also technical PR activities in the Nordic and Benelux regions where his tasks often include vulnerability and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
8/29/2014 | 9:28:16 AM
Re: Assessment Tools
Curious to know how many of the techniques described here would translate to an enterprise security manager suddenly faced with managing so many non-computer devices? What will be the effects of IoT in the business?
Cybdiver
50%
50%
Cybdiver,
User Rank: Apprentice
8/29/2014 | 8:19:58 AM
Re: Assessment Tools
Restricting access to the internet does not seem likely except during a test phase.   I notice that even the smallest of storage devices these days shouts out to the net checking to see if it's software is up to date.  Also many newer devices are selling home cloud solutions.

You and I are probably among the few that go to the extent of trying to lock down a network.  Most folks just plug gear in and go with it.  I've even come across that at larger companies.  Their IT staff is overloaded with just keepign the users working and printers full of ink they take a firewall install it with defaults and figure that's good enough.  I'm kinda grateful they do that. 
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/29/2014 | 7:22:57 AM
Re: Assessment Tools
Hola!

Thanks for your comment and i agree that these attacks are not very popular. Thats not the point. Please read my entire article at Securelist and you will understand.

 

http://securelist.com/analysis/publications/66207/iot-how-i-hacked-my-home/
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/29/2014 | 7:20:20 AM
Re: Assessment Tools
Hola Kelly,

Ill paste you the answer i gave to another user here, it applies on your question too:

Just a small note, event that these devices where located on my local network, i could trigger the vulnerabilities remotely by a simple JavaScript. When any "real" device, such as a laptop, visisted my malicious website, the vulnerabilities in the storage device was triggered, and i would access the local area network again.


Once again, i think one of the best options here, is to restrict access to the Internet for the devices.

But to develop my JavaScript i still needed some information about the local area network.
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/29/2014 | 7:18:55 AM
Re: Assessment Tools
Hi Cybdiver,

 

Just a small note, event that these devices where located on my local network, i could trigger the vulnerabilities remotely by a simple JavaScript. When any "real" device, such as a laptop, visisted my malicious website, the vulnerabilities in the storage device was triggered, and i would access the local area network again.


Once again, i think one of the best options here, is to restrict access to the Internet for the devices.
Cybdiver
100%
0%
Cybdiver,
User Rank: Apprentice
8/28/2014 | 4:22:48 PM
Re: Assessment Tools
I went through the same drama at home, and then went and invested in a firewall appliance.  It cost a few bucks but much more secure than the NAT from a DSL modem or router.  Articals like these are always good reminders to check our networks. 

The sad truth is many manufacturers are so eager to give us online this or that they forget or ignore security concerns to get their products working or just out to market.  I went through this with of all companies Microsoft and an Xbox.  It's quite a gymnastic task getting the right ports open so you can communicate with their servers.  This holds true for items like a streaming media player.  Since I don't want manufacturers snooping around my network I finally tossed much of that stuff into a DMZ and monitored it for outbound traffic when I wasn't using it.   A sub 500 dollar firewall might seem like alot of money just think of the cost of having someone steal or delete your stuff.  No network is truly safe these days but at least you can send the majority looking for easier pray.  I especially recommend a firewall for even the smallest of businesses.  Now if I could only convince people that yes the first password I will try when hacking your system is "Password".
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/28/2014 | 3:55:38 PM
Re: Assessment Tools
Hi there David--Cool project! One common theme I've seen with a lot of the home automation stuff is that you need local/physical access to compromise these devices. How much did physical access play in your research? 

BTW, good thing you didn't mess with the kids' TV. 
Stratustician
50%
50%
Stratustician,
User Rank: Strategist
8/28/2014 | 9:14:00 AM
Re: Assessment Tools
Great idea to put these devices in a DMZ or VLAN isolated from everything else.  While I am sure the hacker community has better things to do right now than target these devices, I am sure as more folks start linking cloud storage to them, or even local storage, the interest will increase significantly and we'll start to see more malware targeted towards these devices.
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:59:37 PM
Re: Assessment Tools
Ryan, well, the problem with most IoT device is that you have very little control over them, but the most effective way to minimize the post-exploitation phase, and also minimize the risk that someone actually take advantage of these vulnerabilities is to put all your IoT devices in a seperate DMZ / VLAN, and restrict access TO the Internet from these devices.

Why would your printer or NAS need internet access? Maybe for updates? But then you can enable access to the update servers. 

 

But putting them in a restricted DMZ seems to bean effecting option right now.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/27/2014 | 3:55:34 PM
Re: Assessment Tools & Lock down
Point taken! Hopefully the manufacturers (someday) will take care of those minor details.

:-)
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-5522
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6025. Reason: This candidate is a reservation duplicate of CVE-2014-6025. Notes: All CVE users should reference CVE-2014-6025 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-5523
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5524. Reason: This candidate is a duplicate of CVE-2014-5524. Notes: All CVE users should reference CVE-2014-5524 instead of this candidate. All references and descriptions in this candidate have been removed to prevent acciden...

CVE-2014-5575
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

CVE-2014-5665
Published: 2014-09-22
The Mzone Login (aka com.mr384.MzoneLogin) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio