Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How I Hacked My Home, IoT Style
Threaded  |  Newest First  |  Oldest First
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/27/2014 | 12:31:29 PM
Assessment Tools
Interesting article.

What tools did you use to discover the vulnerabilities. (Kismet, nessus, etc) And when performing the tests, did you take the mindset of an attacker? Meaning treating this as if you had no inner intel or did you do this as a how am I vulnerable from each vector that is already known to the home owner?

I think these are important tests for anyone to run. Also, we need to ingrain security from the development stage. This comment is directed at the non-encrypted data transit from the smart tv. If we don't make this a priority as the consumer than organizations may be reluctant to change.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/27/2014 | 3:33:03 PM
Re: Assessment Tools & Lock down
David , were you able to lock down your home network -- or any part of it? Also please keep us posted on what you hear back from vendors about their efforts on developing patches .
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:47:55 PM
Re: Assessment Tools & Lock down
Hi Marilyn,


Thank you for your comments... Well what do you mean with "lock down" my home network. Once one of the devices which were on my local network, i could have performed various attacks to make the network unaccessible, such as DoS attacks.


I could also have deleted all the data on the storage device, and i mean ALL data, i could have crashed the entire device, probably same thing for the other devices such as TV. Due to the cost of the device, i did not want to do that :) And i did not want to explain for the kids why the TV was broken :)
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/27/2014 | 3:55:34 PM
Re: Assessment Tools & Lock down
Point taken! Hopefully the manufacturers (someday) will take care of those minor details.

:-)
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:52:02 PM
Re: Assessment Tools
Ryan, thank you for your comment.

 

I did not really use any tools in that way. The only "tools" i used where nmap, telnet, netcat, perl, python and my web browser with the "Live HTTP headers" extension installed.

During the audit i developed my own tools on a regular basis to automate some of the tests i wanted to perform. I personally do not have strong faith in the open source "hacking" tools. When you want to audit large networks, they might be useful. but when you only have a handful of devices, its much better with a minimalistic approach.

I am pretty sure any vulnerabiluty scanner would jum pof the roof when it comes to missing security patches, but remember, all the vulnerabilities i discovered were new, and had not been discovered before. Then these tools such as Nessus, does not really work.

 

I hope this helps:)
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:52:27 PM
Re: Assessment Tools
Ryan, thank you for your comment.

 

I did not really use any tools in that way. The only "tools" i used where nmap, telnet, netcat, perl, python and my web browser with the "Live HTTP headers" extension installed.

During the audit i developed my own tools on a regular basis to automate some of the tests i wanted to perform. I personally do not have strong faith in the open source "hacking" tools. When you want to audit large networks, they might be useful. but when you only have a handful of devices, its much better with a minimalistic approach.

I am pretty sure any vulnerabiluty scanner would jum pof the roof when it comes to missing security patches, but remember, all the vulnerabilities i discovered were new, and had not been discovered before. Then these tools such as Nessus, does not really work.

 

I hope this helps:)
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/27/2014 | 3:54:52 PM
Re: Assessment Tools
It does, thanks!

What would you recommend for something where you have little control such as the unencrypted smart tv? What are the mitigation options?
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:59:37 PM
Re: Assessment Tools
Ryan, well, the problem with most IoT device is that you have very little control over them, but the most effective way to minimize the post-exploitation phase, and also minimize the risk that someone actually take advantage of these vulnerabilities is to put all your IoT devices in a seperate DMZ / VLAN, and restrict access TO the Internet from these devices.

Why would your printer or NAS need internet access? Maybe for updates? But then you can enable access to the update servers. 

 

But putting them in a restricted DMZ seems to bean effecting option right now.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
8/28/2014 | 9:14:00 AM
Re: Assessment Tools
Great idea to put these devices in a DMZ or VLAN isolated from everything else.  While I am sure the hacker community has better things to do right now than target these devices, I am sure as more folks start linking cloud storage to them, or even local storage, the interest will increase significantly and we'll start to see more malware targeted towards these devices.
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/29/2014 | 7:22:57 AM
Re: Assessment Tools
Hola!

Thanks for your comment and i agree that these attacks are not very popular. Thats not the point. Please read my entire article at Securelist and you will understand.

 

http://securelist.com/analysis/publications/66207/iot-how-i-hacked-my-home/
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/28/2014 | 3:55:38 PM
Re: Assessment Tools
Hi there David--Cool project! One common theme I've seen with a lot of the home automation stuff is that you need local/physical access to compromise these devices. How much did physical access play in your research? 

BTW, good thing you didn't mess with the kids' TV. 
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/29/2014 | 7:20:20 AM
Re: Assessment Tools
Hola Kelly,

Ill paste you the answer i gave to another user here, it applies on your question too:

Just a small note, event that these devices where located on my local network, i could trigger the vulnerabilities remotely by a simple JavaScript. When any "real" device, such as a laptop, visisted my malicious website, the vulnerabilities in the storage device was triggered, and i would access the local area network again.


Once again, i think one of the best options here, is to restrict access to the Internet for the devices.

But to develop my JavaScript i still needed some information about the local area network.
Cybdiver
100%
0%
Cybdiver,
User Rank: Apprentice
8/28/2014 | 4:22:48 PM
Re: Assessment Tools
I went through the same drama at home, and then went and invested in a firewall appliance.  It cost a few bucks but much more secure than the NAT from a DSL modem or router.  Articals like these are always good reminders to check our networks. 

The sad truth is many manufacturers are so eager to give us online this or that they forget or ignore security concerns to get their products working or just out to market.  I went through this with of all companies Microsoft and an Xbox.  It's quite a gymnastic task getting the right ports open so you can communicate with their servers.  This holds true for items like a streaming media player.  Since I don't want manufacturers snooping around my network I finally tossed much of that stuff into a DMZ and monitored it for outbound traffic when I wasn't using it.   A sub 500 dollar firewall might seem like alot of money just think of the cost of having someone steal or delete your stuff.  No network is truly safe these days but at least you can send the majority looking for easier pray.  I especially recommend a firewall for even the smallest of businesses.  Now if I could only convince people that yes the first password I will try when hacking your system is "Password".
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/29/2014 | 7:18:55 AM
Re: Assessment Tools
Hi Cybdiver,

 

Just a small note, event that these devices where located on my local network, i could trigger the vulnerabilities remotely by a simple JavaScript. When any "real" device, such as a laptop, visisted my malicious website, the vulnerabilities in the storage device was triggered, and i would access the local area network again.


Once again, i think one of the best options here, is to restrict access to the Internet for the devices.
Cybdiver
50%
50%
Cybdiver,
User Rank: Apprentice
8/29/2014 | 8:19:58 AM
Re: Assessment Tools
Restricting access to the internet does not seem likely except during a test phase.   I notice that even the smallest of storage devices these days shouts out to the net checking to see if it's software is up to date.  Also many newer devices are selling home cloud solutions.

You and I are probably among the few that go to the extent of trying to lock down a network.  Most folks just plug gear in and go with it.  I've even come across that at larger companies.  Their IT staff is overloaded with just keepign the users working and printers full of ink they take a firewall install it with defaults and figure that's good enough.  I'm kinda grateful they do that. 
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
8/29/2014 | 9:28:16 AM
Re: Assessment Tools
Curious to know how many of the techniques described here would translate to an enterprise security manager suddenly faced with managing so many non-computer devices? What will be the effects of IoT in the business?


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5669
PUBLISHED: 2021-10-26
Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.
CVE-2021-40343
PUBLISHED: 2021-10-26
An issue was discovered in Nagios XI 5.8.5. Insecure file permissions on the nagios_unbundler.py file allow the nagios user to elevate their privileges to the root user.
CVE-2021-40344
PUBLISHED: 2021-10-26
An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.
CVE-2021-40345
PUBLISHED: 2021-10-26
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.
CVE-2021-42343
PUBLISHED: 2021-10-26
An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (ty...