CraigYoungThat Internet-connected Barbie that listens to your kid is hackable. Your ex could stalk you in your car even if it wasn’t designed to be a connected vehicle, and someone could alter your medical dose remotely while you’re in hospital. No wonder the NSA is both excited by IoT and worried about it, in equal measure. If you’re a security pro or a CIO, it’s something you should probably know about.

Craig Young, a security researcher at Tripwire’s Vulnerability and Exposures Research Team (VERT), spends his days analyzing and documenting these flaws, and he keeps finding more things that worry him. The flaws are coming thick and fast, and he’s going teach SecTor attendees about them in his Internet of Things (IoT) hacking training session at the conference this October.

One of the biggest dangers of the IoT is local connectivity, points out Young. Many connected devices act as web servers, inviting HTTP requests from devices on the local network. That opens a nasty box of horrors, he said.

“Having that ability to talk directly on the local LAN is good for performance because your traffic doesn’t have to go out over the Internet, but it makes for a big attack surface,” he said.

LAN-based dangers

Untrusted devices on the network can probe the device for information, and if your IoT device accepts REST-based API requests, it means that they can be sent easily, even from a web browser.

“If there’s a problem with that web service and it can be exploited through a web request, it’s quite possible that someone could make some Javascript to forge that web request,” he said. That means that an untrusted device on the local network could find the IoT device and send it attack traffic.

What does that mean in practice? In many cases, it makes the concept of a ‘smart’ TV an oxymoron. One unit he saw contained a flaw that enabled anyone on the request to launch a YouTube app, but inject a parameter to load an arbitrary web page, which would load its own content. The web browser in the TV was an ancient version of Opera, with flash plugins, making it easily pwned.

“From there you’d have control of everything because none of the TVs I have analysed have anything other than a root user on them,” he pointed out.

Why is that? Because often, IoT device manufacturers are building their software around sample code from the board manufacturers, rather than hardening it first.

TVs should also simply avoid arbitrary access from other devices on the local network, he added, pointing out that Samsung’s TVs require you to establish a trusted connection with a smartphone.

These devices are mainly posing risks to residential users right now. You probably want to be careful what you do in front of its camera, for example.

There is also potential for corporate compromise too, though. Smart TVs connected in the boardroom could be used to listen in on private conversations.

”A lot of offices I’m sure have televisions with microphones that are listening, maybe cameras that are watching in their boardrooms. The risk of intellectual property theft is quite substantial,” he said.

If TVs get networked onto trusted corporate Wi-Fi they could also become a foothold into the company network, he added.

Finding flaws

Young has seen other major flaws this year, including a baby monitor that would begin broadcasting its own insecure Wi-Fi SSID if it was kicked off the local network. This would enable attackers to connect with it and view the audio-visual stream. It also contained hard-coded credentials that would allow an attacker to move the camera around and even talk through it.

Here’s another one: IoT devices that allow people to downgrade their firmware. Last year, at Tripwire’s IoT Hack Lab, Young and his team worked with a conference attendee who spent most of the day at the booth evaluating a product.

The attendee found a command injection vulnerability in it that the vendor had already addressed in the latest firmware update, so Tripwire sent him home with the device to work on it further. He figured out a way to force a firmware downgrade on the device which would allow him to carry out his original attack.

“Using cryptographically-signed firmware with enforced version checks is good,” Young said, “But more importantly, an unauthenticated user was able to access the upgrade mechanism.“ The vendor is still busy fixing that zero-day at the time of writing.

This year at SecTor, the IoT Hack Lab will be back in an expanded form, with several new devices. Young’s training session will prep you for that work, covering firmware analysis, shell access and the mining of additional attack vectors.

Fancy trying your hand at IoT hacking? Then register for the SecTor conference in Toronto on Oct 17-19 2016 to work with the guys at Tripwire and prepare yourself for the IoT security battle.


Bookmark and Share