Enterprise security teams can draw lessons from vulnerabilties in the first devices making up the internet of things (IoT) says a researcher.
“The internet of things is really made up embedded devices, and that is what makes the security issues relevant to the enterprise,” said Alex Chapman, senior consultant at Context Information Security.
Chapman is part of a research team at the UK-based incident response and investigation firm that has been investigating the potential impact of IP connected devices on security.
The team chose five commercially available IP-connected products and was able to compromise every one of them.
In each case, suppliers of the devices have been notified and are either releasing fixes, investigating issues or in the initial stages of reporting, said Chapman.
Poor authentication was a common weakness running through the smart light bulbs, IP camera, network attached storage (NAS), wireless printer and smart companion rabbit.
The team found ways of exploiting this weakness in each device to gain access to wireless router passwords and inter-device communication encryption keys.
This meant they were able to take control of the devices remotely and get enough information to compromise the network connected to the devices.
In the case of the IP camera, the researchers were able to hijack the video stream and control the camera from a mobile app to look around its environment and even zoom in on objects.
“The security for these devices depended on changing the default directory for the web interface from index.html to index2.html,” Chapman told attendees of Context’s Oasis symposium in London.
Scanning the internet, the researchers were able to find around 200 accessible IP camera interfaces using this method.
The light bulbs use AES 128 encryption, but just because they implement encryption does not necessarily mean they are secure,” said Chapman.
Using a combination of hardware hacking, protocol analysis and reverse engineering, the researchers were able to extract the AES encryption details.
“AES is a symmetric cipher, which means if we have the details and the packets we can decrypt the data,” said Chapman.
The researchers were able to use a wireless laptop to request Wi-Fi credentials from a light bulb over the unsecured mesh network.
Using the encryption key, they were able to decrypt the credentials released by the light bulb and use those credentials to connect to a secured wireless network.
The relevance to information security professionals, said Chapman, is that the devices have parallels in corporate environments with very similar underlying technology.
The business counterpart of the smart light bulbs would be building management systems with the risk of building failure, such as hackers being able to open fire exits remotely.
The consumer NAS device corresponds with network storage in the enterprise with the risk of file disclosure and the printer corresponds with a network printer with the risk of data disclosure.
Scanning the internet, the researchers were able to find around 14,000 NAS interfaces vulnerable to an exploit allowing a hacker to login as root and change the username and password.
The IP camera corresponds with physical security camera systems in the enterprise that could be hijacked to stream bogus images or conduct surveillance.
Finally, the smart rabbit device corresponds with video-conferencing equipment with the risk that transmissions could be monitored for commercially sensitive information.
Chapman warned that traditional penetration testing may miss these issues. “Only in-depth device reviews will identify security vulnerabilities in these devices and not just known vulnerabilities,” he said.
Read more about the internet of things
- The internet of things is set to change security priorities
- APIs key to security of internet of things, says Axway
- Internet of things to power classroom education
- Smart Grid and the Internet of Things
- Smart technologies and the internet of things
- Gartner: Internet of Things will be worth trillions
- Explained: What is the Internet of Things?
- Building Internet of Things applications with DeviceHive
- The internet of things – the devices are taking over
- ARM buys Sensinode for ‘internet of things’ push