Current Filter: Network>>>>>Feature>

   

With the Internet of Things (IoT) rapidly becoming part of our vocabulary, companies are eager to jump on the bandwagon and deliver a new generation of connected devices. But in this race to market, not for the first time, many manufacturers are only looking to make things work, rather than making things work securely. Start-ups in particular appear to view security as an extra to be bolted on if required.

To explore this we chose five commercially available IP-connected products and were able to compromise all of them. Poor authentication was a common weakness running through the smart light bulbs, IP camera, network attached storage (NAS), wireless printer and even a child's internet rabbit toy. By exploiting weaknesses it was possible to gain access to wireless router passwords and encryption keys, allowing us to take control of the devices remotely and expand our compromise to the network behind the devices.

In the case of the IP camera, we were able to hijack the video stream and control the camera from a mobile app. The smart light bulbs use a mesh network based on the 802.15.4 wireless protocol, popular for inter-IoT device communication. While the bulbs used AES 128 encryption, using a combination of hardware hacking, protocol analysis and reverse engineering, we could extract the AES encryption details to decrypt the data and request Wi-Fi credentials to connect to a secured wireless network.

When it came to the printer, we remotely accessed the web interface and modified the firmware from the internet to run custom code. In addition to simply printing out hundreds of copies, we updated the printer with a Trojan image, making it possible to spy on documents being printed and establish a gateway into the printer's network.

The story is similar with the other devices we looked at and in each case, suppliers were notified and have either released fixes or are investigating the issues. But the relevance to enterprise information security professionals is clear. All these devices have parallels in corporate environments with very similar underlying embedded technology.

Many building management systems use similar mesh networks to the light bulb, creating the risk that hackers will open fire exits remotely, for example. Consumer NAS devices correspond to network storage in the enterprise with the risk of file disclosure, while internet attached printers risk data disclosure. Scanning the internet, we were able to find around 14,000 NAS interfaces vulnerable to an exploit, allowing a hacker to login as root and change the username and password.

While corporate networks are normally protected by enterprise-level security, devices such as printers with out of the box credentials, can still make them fairly easy to compromise. Furthermore, patching of anything that's not a standard computer is flaky at best, despite the fact that they are vulnerable and valuable targets. An IoT device could be a good place for a hacker to stay hidden from network security and malicious code would be hard to find.

A lot of these IoT devices are as powerful as the computers we had on our desks ten years ago. While for cyber-criminals, the pay-off for hacking home devices is not obvious, standard tool kits will emerge and increase the risk of attack. If there are a million printers on the Internet all with the same vulnerability, perhaps it's worth the effort. You could also create a botnet for spamming, DDoS attacks, or simply to hide traffic.

High profile hacks may seriously damage consumer trust in IoT technology before it takes off. The enterprise must learn the lessons from this insight with consumer devices before the Internet of Things starts to threaten our corporate networks. NC