Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/27/2014
12:00 PM
David Jacoby
David Jacoby
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How I Hacked My Home, IoT Style

It didn't take long to find a score of vulnerabilities in my home entertainment, gaming, and network storage systems.

Very often new terms get over-hyped in the IT security industry. Today, as we all look to find out more about the Internet of Things, the typical residence can easily have five devices connected to a home network that aren't computers, tablets, or cellphones. As users in this connected environment, we need to ask ourselves "What's the current threat level?" and "How vulnerable am I?"

Most people know what a computer virus is, that we should have strong passwords, and that it's important to install the latest security patches. But many of us (even those with an IT-security mindset) still focus primarily on protecting our traditional endpoints and forget that there are other devices connected to our networks.

For this reason, I decided to conduct research that would identify how easy it would be to hack my own home. Are the devices connected to my network vulnerable? What could an attacker actually do if these devices were compromised? Is my home hackable? I determined to look for real, practical, and relevant attack vectors to see whether it was.

During my research I focused on all the "other" devices I have connected to my home network: a smart TV, satellite receiver, DVD/Blu-ray player, network storage devices, and gaming consoles. Before I started, I was pretty sure that my home was pretty secure. I mean, I've been working in the security industry for over 15 years, and I'm quite paranoid when it comes to such things as security patches.

As I started my research, it didn’t take long to figure out just how easy it was to find vulnerabilities in all of the systems. I managed to find 14 vulnerabilities in the network attached storage, one vulnerability in the Smart TV, and several potentially hidden remote control functions in the router.

The most severe vulnerabilities were found in the network-attached storage, several that would allow an attacker to remotely execute system commands with the highest administrative privileges. The tested devices also had weak default passwords; lots of configuration files had the wrong permissions; and they also contained passwords in plain text.

When I investigated the security level of the smart TV I discovered that no encryption was used in communication between the TV and the TV vendor’s servers. I was able to replace an icon of the Smart TV graphic interface with a picture, showing the potential for a man-in-the-middle style of attack. 

The DSL router used to provide wireless Internet access for all other home devices contained several hidden dangerous features that could potentially provide the Internet service provider remote access to any device in my private network. The results were shocking, to say the least.

What I found from my research is that we need to assume that our devices can be, or are already, compromised by attackers who can gain access to them. This applies to consumers as well as companies. We need to understand that everything we connect to the network might be a stepping stone for an attacker.

We also need to understand that our information is not secure just because we have a strong password or are running some protection against malicious code. It took me less than 20 minutes to find and verify extremely serious vulnerabilities in a device considered to be secure.

As a community, we need to come up with alternative solutions that can help individuals and companies improve their security. Even though the home entertainment industry might not be focused on security, with just a few simple tips we can all raise the security level a little bit higher. As a side note, all vulnerabilities have been reported to the respective vendors, and they're working on solutions for these products.

Click here for more details on David’s research.

David is a Senior Security Researcher for Kaspersky Lab, with 15 years of experience working in the IT security field. He is responsible for not only research but also technical PR activities in the Nordic and Benelux regions where his tasks often include vulnerability and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/27/2014 | 3:54:52 PM
Re: Assessment Tools
It does, thanks!

What would you recommend for something where you have little control such as the unencrypted smart tv? What are the mitigation options?
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:52:27 PM
Re: Assessment Tools
Ryan, thank you for your comment.

 

I did not really use any tools in that way. The only "tools" i used where nmap, telnet, netcat, perl, python and my web browser with the "Live HTTP headers" extension installed.

During the audit i developed my own tools on a regular basis to automate some of the tests i wanted to perform. I personally do not have strong faith in the open source "hacking" tools. When you want to audit large networks, they might be useful. but when you only have a handful of devices, its much better with a minimalistic approach.

I am pretty sure any vulnerabiluty scanner would jum pof the roof when it comes to missing security patches, but remember, all the vulnerabilities i discovered were new, and had not been discovered before. Then these tools such as Nessus, does not really work.

 

I hope this helps:)
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:52:02 PM
Re: Assessment Tools
Ryan, thank you for your comment.

 

I did not really use any tools in that way. The only "tools" i used where nmap, telnet, netcat, perl, python and my web browser with the "Live HTTP headers" extension installed.

During the audit i developed my own tools on a regular basis to automate some of the tests i wanted to perform. I personally do not have strong faith in the open source "hacking" tools. When you want to audit large networks, they might be useful. but when you only have a handful of devices, its much better with a minimalistic approach.

I am pretty sure any vulnerabiluty scanner would jum pof the roof when it comes to missing security patches, but remember, all the vulnerabilities i discovered were new, and had not been discovered before. Then these tools such as Nessus, does not really work.

 

I hope this helps:)
davidjacoby
50%
50%
davidjacoby,
User Rank: Author
8/27/2014 | 3:47:55 PM
Re: Assessment Tools & Lock down
Hi Marilyn,


Thank you for your comments... Well what do you mean with "lock down" my home network. Once one of the devices which were on my local network, i could have performed various attacks to make the network unaccessible, such as DoS attacks.


I could also have deleted all the data on the storage device, and i mean ALL data, i could have crashed the entire device, probably same thing for the other devices such as TV. Due to the cost of the device, i did not want to do that :) And i did not want to explain for the kids why the TV was broken :)
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/27/2014 | 3:33:03 PM
Re: Assessment Tools & Lock down
David , were you able to lock down your home network -- or any part of it? Also please keep us posted on what you hear back from vendors about their efforts on developing patches .
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/27/2014 | 12:31:29 PM
Assessment Tools
Interesting article.

What tools did you use to discover the vulnerabilities. (Kismet, nessus, etc) And when performing the tests, did you take the mindset of an attacker? Meaning treating this as if you had no inner intel or did you do this as a how am I vulnerable from each vector that is already known to the home owner?

I think these are important tests for anyone to run. Also, we need to ingrain security from the development stage. This comment is directed at the non-encrypted data transit from the smart tv. If we don't make this a priority as the consumer than organizations may be reluctant to change.
<<   <   Page 2 / 2
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30477
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
CVE-2021-30478
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
CVE-2021-30479
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
CVE-2021-30487
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
CVE-2020-36288
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...