A new whitepaper from security business Rapid7 shows the potential risks inherent in the Internet of things (IoT). The whitepaper shows how easily ‘dumb’ devices designed to be connected to the internet can be hacked and used as a gateway to hack corporate networks further up the chain.
The whitepaper chose to look at baby monitors and evaluated nine different devices from eight different vendors, and discovered numerous security weaknesses and design flaws were found (hidden, hardcoded credentials, unencrypted video streaming, unencrypted web and mobile app functions, etc.)
Of the nine tested three were found to have a critical vulnerability impacting their overall security beyond simple weaknesses or complex-to-exploit issues. The critical issues allow:
- An attacker to locate an exposed camera and is able to watch the live stream, enable remote access (e.g. Telnet), or change the camera settings
- An attacker to potentially gain access to every recorded clip for every registered camera across the entire service
- An attacker to add an e-mail address of their choice to every single camera and login at will to view the stream of any camera of their choosing
So do you have to be an expert to hack these devices and aren’t most devices more secure? Seems not as report authors Mark Stanislav and Tod Beardsley stress that the vulnerabilities and exposures found were “trivial to exploit by a reasonably competent attacker, especially in the context of a focused campaign against company officers or other key business personnel.” And warn that there are important implications for every type of connected device. “If those key personnel are operating IoT devices on networks that are routinely exposed to business assets, a compromise on an otherwise relatively low-value target – like the video baby monitors covered in this paper – can quickly provide a path to compromise of the larger, nominally external, organizational network.”
Vulnerabilities tested included
- Cleartext Local API - Local communications are not encrypted
- Cleartext Cloud API - Remote communications are not encrypted
- Unencrypted Storage - Data collected is stored on disk in the clear
- Remote Shell Access - A command-line interface is available on a network port
- Backdoor Accounts - Local accounts have easily guessed passwords
- UART Access - Physically local attackers can alter the device
The full report can be found on Rapid7’s IoT security site worryingly only one vendor cited in the report, Philips, responded with an expected timeline for producing fixes for the issues described.