Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

5/24/2018
11:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

IoT Security Concerns Include Pet Trackers, Kaspersky Finds

Kaspersky Lab researchers found BLE and weaknesses in the Android apps running on pet trackers can enable attackers to access user data from the IoT devices.

The tens of billions of connected devices that make up the Internet of Things (IoT) has become a key concern of security researchers, and now that concern includes smart devices made for pets.

In particular, many trackers that are used to monitor the location of pets can be an avenue for cybercriminals to gain access to the pet owners' networks and phones and to such data as a user's password, login, name and email address, authentication tokens and device coordinates, according to Kaspersky Lab researchers.

The vulnerabilities found within the seven pet tracking products tested by Kaspersky is another proof point of the dangers of unsecured devices connecting to networks and the Internet, particularly as the number of such devices -- both consumer and commercial devices -- continues to explode.

The Mirai malware was an example.

Discovered in 2016, the botnet malware launched distributed denial-of-service (DDoS) attacks against several websites by taking control of such IoT devices as routers, digital video recorders and security cameras. (See OMG: Mirai Botnet Finds New Life, Again.)

"The growing number of malware targeting IoT devices and related security incidents demonstrates how serious the problem of smart device security is," Roman Unuchek, senior malware analyst at Kaspersky, told Security Now in an email. "The past two years have shown that these threats are not just conceptual but are in fact very real. The Mirai botnet demonstrated that smart devices can be used for cybercriminals to launch powerful attacks. Today, there are billions of these devices globally, and by 2020 this number will grow to 20-50 billion devices, according to predictions by various analysts. The security challenges presented by IoT are significant, exponentially increasing and constantly evolving."

Organizations seem to understand the threats, according to Gartner analysts.

In March, they noted that a survey found that almost 20 percent of organizations saw at least one IoT-based attack at some point over the past three years. In addition, the analysts said that spending on IoT security worldwide will grow from almost $1.2 billion in 2017 to more than $3.1 billion by 2021. Because companies don’t control the software and hardware used in these intelligent connected devices, the focus of spending will be on such tools and services around discovery and asset management, security assessment and penetration testing, they said. (See Increased IoT Use Causing Added Enterprise Security Concerns Report.)

Trouble with BLE
With the pet trackers, Kaspersky researchers found a variety of vulnerabilities that attackers could exploit to gain access to user data. A key technology used by many of the trackers tested was Bluetooth Low Energy (BLE), a power-saving Bluetooth connectivity specification that is used in many IoT devices. In a blog post, Unuchek and Kaspersky security expert Roland Sako called BLE "the weak spot in the device's protective armor."

"Unlike 'classic' Bluetooth, where peer devices are connected using a PIN code, BLE is aimed at non-peer devices, one of which may not have a screen or keyboard," Unuchek and Sako wrote. "Thus, PIN code protection is not implemented in BLE -- authentication depends entirely on the developers of the device, and experience shows that it is often neglected."

In addition, the foundation for data transfer between non-peer devices -- in this case, a smartphone on one end and a tracker on the other -- in the BLE spec are services, characteristics and descriptors. Once connected, BLE services are available to the smartphone, and each service contains characteristics that could have descriptors, and both characteristics and descriptors can be used when transferring data.

"Hence, the correct approach to device security in the case of BLE involves pre-authentication before characteristics and descriptors are made available for reading and writing," the two researchers wrote. "Moreover, it is good practice to break the link shortly after connecting if the pre-authentication stage is not passed. In this case, authentication should be based on something secret that is not accessible to the attacker -- for example, the first part of the data can be encrypted with a specific key on the server (rather than the app) side. Or transmitted data and the MAC address of the connected device can be confirmed via additional communication channels, for example, a built-in SIM card."

The level of security varied on the trackers detected, and connectivity wasn't the only weakness found in many of them, the Kaspersky researchers found.

MiM attacks
For some, there were issues with the Android app that was used with the tracker. In some instances, the app logs data -- which includes the user's password, login and authentication token -- that is sent to the server, while in others the app's developers did not disable logging. In one, the app doesn't verify the sever's HTTPS certificate, making it vulnerable to man-in-the-middle (MiM) attacks.

In some trackers there is a lack of authentication, which opens them up to attackers, while in one instance the integrity control was easy to bypass during the updating of the device's firmware.

"It's unclear why certain companies or vendors skip security implementations," Unuchek told Security Now. "In most cases, it should take not much time to add authentication or access control in Bluetooth Low Energy (BLE) communication. Other security features should be even easier to add. SSL-pinning are very simple features to implement and it can prevent MiM attacks. In addition, disabling logging in the app should take seconds."

When it comes to pet trackers and security, users need to be proactive, he said. They should research different trackers, checking websites and reading reviews to determine how secure the devices and their applications are. Users also should read the privacy policy or terms of service after purchase to see what data is being sent back to the company and how it’s used.

Unuchek also encouraged users to choose strong usernames and passwords that are different from those used for other accounts, to use an alias for the account or when naming the paired device, and to keep the device's apps up to date. (See UNC Researchers Pitch Framework to Fight Password Reuse.)

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28452
PUBLISHED: 2021-01-20
This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request ...
CVE-2020-28483
PUBLISHED: 2021-01-20
This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.
CVE-2021-21269
PUBLISHED: 2021-01-20
Keymaker is a Mastodon Community Finder based Matrix Community serverlist page Server. In Keymaker before version 0.2.0, the assets endpoint did not check for the extension. The rust `join` method without checking user input might have made it abe to do a Path Traversal attack causing to read more f...
CVE-2020-25686
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same...
CVE-2020-25687
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This...