Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How I Hacked My Home, IoT Style
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
8/29/2014 | 9:28:16 AM
Re: Assessment Tools
Curious to know how many of the techniques described here would translate to an enterprise security manager suddenly faced with managing so many non-computer devices? What will be the effects of IoT in the business?
Cybdiver
50%
50%
Cybdiver,
User Rank: Apprentice
8/29/2014 | 8:19:58 AM
Re: Assessment Tools
Restricting access to the internet does not seem likely except during a test phase.   I notice that even the smallest of storage devices these days shouts out to the net checking to see if it's software is up to date.  Also many newer devices are selling home cloud solutions.

You and I are probably among the few that go to the extent of trying to lock down a network.  Most folks just plug gear in and go with it.  I've even come across that at larger companies.  Their IT staff is overloaded with just keepign the users working and printers full of ink they take a firewall install it with defaults and figure that's good enough.  I'm kinda grateful they do that. 
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/29/2014 | 7:22:57 AM
Re: Assessment Tools
Hola!

Thanks for your comment and i agree that these attacks are not very popular. Thats not the point. Please read my entire article at Securelist and you will understand.

 

http://securelist.com/analysis/publications/66207/iot-how-i-hacked-my-home/
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/29/2014 | 7:20:20 AM
Re: Assessment Tools
Hola Kelly,

Ill paste you the answer i gave to another user here, it applies on your question too:

Just a small note, event that these devices where located on my local network, i could trigger the vulnerabilities remotely by a simple JavaScript. When any "real" device, such as a laptop, visisted my malicious website, the vulnerabilities in the storage device was triggered, and i would access the local area network again.


Once again, i think one of the best options here, is to restrict access to the Internet for the devices.

But to develop my JavaScript i still needed some information about the local area network.
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/29/2014 | 7:18:55 AM
Re: Assessment Tools
Hi Cybdiver,

 

Just a small note, event that these devices where located on my local network, i could trigger the vulnerabilities remotely by a simple JavaScript. When any "real" device, such as a laptop, visisted my malicious website, the vulnerabilities in the storage device was triggered, and i would access the local area network again.


Once again, i think one of the best options here, is to restrict access to the Internet for the devices.
Cybdiver
100%
0%
Cybdiver,
User Rank: Apprentice
8/28/2014 | 4:22:48 PM
Re: Assessment Tools
I went through the same drama at home, and then went and invested in a firewall appliance.  It cost a few bucks but much more secure than the NAT from a DSL modem or router.  Articals like these are always good reminders to check our networks. 

The sad truth is many manufacturers are so eager to give us online this or that they forget or ignore security concerns to get their products working or just out to market.  I went through this with of all companies Microsoft and an Xbox.  It's quite a gymnastic task getting the right ports open so you can communicate with their servers.  This holds true for items like a streaming media player.  Since I don't want manufacturers snooping around my network I finally tossed much of that stuff into a DMZ and monitored it for outbound traffic when I wasn't using it.   A sub 500 dollar firewall might seem like alot of money just think of the cost of having someone steal or delete your stuff.  No network is truly safe these days but at least you can send the majority looking for easier pray.  I especially recommend a firewall for even the smallest of businesses.  Now if I could only convince people that yes the first password I will try when hacking your system is "Password".
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/28/2014 | 3:55:38 PM
Re: Assessment Tools
Hi there David--Cool project! One common theme I've seen with a lot of the home automation stuff is that you need local/physical access to compromise these devices. How much did physical access play in your research? 

BTW, good thing you didn't mess with the kids' TV. 
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
8/28/2014 | 9:14:00 AM
Re: Assessment Tools
Great idea to put these devices in a DMZ or VLAN isolated from everything else.  While I am sure the hacker community has better things to do right now than target these devices, I am sure as more folks start linking cloud storage to them, or even local storage, the interest will increase significantly and we'll start to see more malware targeted towards these devices.
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:59:37 PM
Re: Assessment Tools
Ryan, well, the problem with most IoT device is that you have very little control over them, but the most effective way to minimize the post-exploitation phase, and also minimize the risk that someone actually take advantage of these vulnerabilities is to put all your IoT devices in a seperate DMZ / VLAN, and restrict access TO the Internet from these devices.

Why would your printer or NAS need internet access? Maybe for updates? But then you can enable access to the update servers. 

 

But putting them in a restricted DMZ seems to bean effecting option right now.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/27/2014 | 3:55:34 PM
Re: Assessment Tools & Lock down
Point taken! Hopefully the manufacturers (someday) will take care of those minor details.

:-)
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35499
PUBLISHED: 2021-10-26
The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim...
CVE-2021-41182
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now t...
CVE-2021-41183
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now al...
CVE-2021-41184
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a...
CVE-2021-41185
PUBLISHED: 2021-10-26
Mycodo is an environmental monitoring and regulation system. An exploit in versions prior to 8.12.7 allows anyone with access to endpoints to download files outside the intended directory. A patch has been applied and a release made. Users should upgrade to version 8.12.7. As a workaround, users may...