Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/27/2014
12:00 PM
David Jacoby
David Jacoby
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How I Hacked My Home, IoT Style

It didn't take long to find a score of vulnerabilities in my home entertainment, gaming, and network storage systems.

Very often new terms get over-hyped in the IT security industry. Today, as we all look to find out more about the Internet of Things, the typical residence can easily have five devices connected to a home network that aren't computers, tablets, or cellphones. As users in this connected environment, we need to ask ourselves "What's the current threat level?" and "How vulnerable am I?"

Most people know what a computer virus is, that we should have strong passwords, and that it's important to install the latest security patches. But many of us (even those with an IT-security mindset) still focus primarily on protecting our traditional endpoints and forget that there are other devices connected to our networks.

For this reason, I decided to conduct research that would identify how easy it would be to hack my own home. Are the devices connected to my network vulnerable? What could an attacker actually do if these devices were compromised? Is my home hackable? I determined to look for real, practical, and relevant attack vectors to see whether it was.

During my research I focused on all the "other" devices I have connected to my home network: a smart TV, satellite receiver, DVD/Blu-ray player, network storage devices, and gaming consoles. Before I started, I was pretty sure that my home was pretty secure. I mean, I've been working in the security industry for over 15 years, and I'm quite paranoid when it comes to such things as security patches.

As I started my research, it didn’t take long to figure out just how easy it was to find vulnerabilities in all of the systems. I managed to find 14 vulnerabilities in the network attached storage, one vulnerability in the Smart TV, and several potentially hidden remote control functions in the router.

The most severe vulnerabilities were found in the network-attached storage, several that would allow an attacker to remotely execute system commands with the highest administrative privileges. The tested devices also had weak default passwords; lots of configuration files had the wrong permissions; and they also contained passwords in plain text.

When I investigated the security level of the smart TV I discovered that no encryption was used in communication between the TV and the TV vendor’s servers. I was able to replace an icon of the Smart TV graphic interface with a picture, showing the potential for a man-in-the-middle style of attack. 

The DSL router used to provide wireless Internet access for all other home devices contained several hidden dangerous features that could potentially provide the Internet service provider remote access to any device in my private network. The results were shocking, to say the least.

What I found from my research is that we need to assume that our devices can be, or are already, compromised by attackers who can gain access to them. This applies to consumers as well as companies. We need to understand that everything we connect to the network might be a stepping stone for an attacker.

We also need to understand that our information is not secure just because we have a strong password or are running some protection against malicious code. It took me less than 20 minutes to find and verify extremely serious vulnerabilities in a device considered to be secure.

As a community, we need to come up with alternative solutions that can help individuals and companies improve their security. Even though the home entertainment industry might not be focused on security, with just a few simple tips we can all raise the security level a little bit higher. As a side note, all vulnerabilities have been reported to the respective vendors, and they're working on solutions for these products.

Click here for more details on David’s research.

David is a Senior Security Researcher for Kaspersky Lab, with 15 years of experience working in the IT security field. He is responsible for not only research but also technical PR activities in the Nordic and Benelux regions where his tasks often include vulnerability and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/27/2014 | 12:31:29 PM
Assessment Tools
Interesting article.

What tools did you use to discover the vulnerabilities. (Kismet, nessus, etc) And when performing the tests, did you take the mindset of an attacker? Meaning treating this as if you had no inner intel or did you do this as a how am I vulnerable from each vector that is already known to the home owner?

I think these are important tests for anyone to run. Also, we need to ingrain security from the development stage. This comment is directed at the non-encrypted data transit from the smart tv. If we don't make this a priority as the consumer than organizations may be reluctant to change.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/27/2014 | 3:33:03 PM
Re: Assessment Tools & Lock down
David , were you able to lock down your home network -- or any part of it? Also please keep us posted on what you hear back from vendors about their efforts on developing patches .
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:47:55 PM
Re: Assessment Tools & Lock down
Hi Marilyn,


Thank you for your comments... Well what do you mean with "lock down" my home network. Once one of the devices which were on my local network, i could have performed various attacks to make the network unaccessible, such as DoS attacks.


I could also have deleted all the data on the storage device, and i mean ALL data, i could have crashed the entire device, probably same thing for the other devices such as TV. Due to the cost of the device, i did not want to do that :) And i did not want to explain for the kids why the TV was broken :)
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:52:02 PM
Re: Assessment Tools
Ryan, thank you for your comment.

 

I did not really use any tools in that way. The only "tools" i used where nmap, telnet, netcat, perl, python and my web browser with the "Live HTTP headers" extension installed.

During the audit i developed my own tools on a regular basis to automate some of the tests i wanted to perform. I personally do not have strong faith in the open source "hacking" tools. When you want to audit large networks, they might be useful. but when you only have a handful of devices, its much better with a minimalistic approach.

I am pretty sure any vulnerabiluty scanner would jum pof the roof when it comes to missing security patches, but remember, all the vulnerabilities i discovered were new, and had not been discovered before. Then these tools such as Nessus, does not really work.

 

I hope this helps:)
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:52:27 PM
Re: Assessment Tools
Ryan, thank you for your comment.

 

I did not really use any tools in that way. The only "tools" i used where nmap, telnet, netcat, perl, python and my web browser with the "Live HTTP headers" extension installed.

During the audit i developed my own tools on a regular basis to automate some of the tests i wanted to perform. I personally do not have strong faith in the open source "hacking" tools. When you want to audit large networks, they might be useful. but when you only have a handful of devices, its much better with a minimalistic approach.

I am pretty sure any vulnerabiluty scanner would jum pof the roof when it comes to missing security patches, but remember, all the vulnerabilities i discovered were new, and had not been discovered before. Then these tools such as Nessus, does not really work.

 

I hope this helps:)
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/27/2014 | 3:54:52 PM
Re: Assessment Tools
It does, thanks!

What would you recommend for something where you have little control such as the unencrypted smart tv? What are the mitigation options?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/27/2014 | 3:55:34 PM
Re: Assessment Tools & Lock down
Point taken! Hopefully the manufacturers (someday) will take care of those minor details.

:-)
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:59:37 PM
Re: Assessment Tools
Ryan, well, the problem with most IoT device is that you have very little control over them, but the most effective way to minimize the post-exploitation phase, and also minimize the risk that someone actually take advantage of these vulnerabilities is to put all your IoT devices in a seperate DMZ / VLAN, and restrict access TO the Internet from these devices.

Why would your printer or NAS need internet access? Maybe for updates? But then you can enable access to the update servers. 

 

But putting them in a restricted DMZ seems to bean effecting option right now.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
8/28/2014 | 9:14:00 AM
Re: Assessment Tools
Great idea to put these devices in a DMZ or VLAN isolated from everything else.  While I am sure the hacker community has better things to do right now than target these devices, I am sure as more folks start linking cloud storage to them, or even local storage, the interest will increase significantly and we'll start to see more malware targeted towards these devices.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/28/2014 | 3:55:38 PM
Re: Assessment Tools
Hi there David--Cool project! One common theme I've seen with a lot of the home automation stuff is that you need local/physical access to compromise these devices. How much did physical access play in your research? 

BTW, good thing you didn't mess with the kids' TV. 
Page 1 / 2   >   >>
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...