IoT application vulnerabilities leave devices open to attack

Businesses and consumers have a right to know the security posture of devices connected to the internet making up the internet of things (IoT) – and manufacturers should be held accountable.

That is the view of security researchers at Barracuda Networks who examined an internet-connected security camera to illustrate the growing security threat of IoT credential compromise.

The study shows that vulnerabilities in the web and mobile applications of IoT devices can be exploited to steal credentials and compromise the associated devices.

Without any direct connection to the device itself, the team was able to identify multiple vulnerabilities in the camera’s web app and mobile app ecosystem.   

This threat could affect other types of IoT devices, the researchers said, because it takes advantage of the way the device communicates with the cloud.

For this reasons, Barracuda believes IoT products should be scored constantly and their security posture be published in the same way as motor vehicle safety ratings are, to enable businesses and consumers to make informed decisions when choosing products.

The researchers note that although improvements have been made in response to concerns about the security risks of IoT devices, vulnerabilities remain.

In particular, the Barracuda Labs team highlighted the threat of IoT credential compromise by showing that attackers could use vulnerabilities in the web applications and mobile applications used by certain IoT devices to acquire credentials, which can then be used to view the video feed, set/receive/delete alarms, remove saved video clips from cloud storage, and read account information.

Attackers can also use the credentials to push their own firmware update to the device, changing its functionality and using the compromised device to attack other devices on the same network.

The main vulnerabilities identified by the researchers included:

• Mobile app ignored server certificate validity.
• Cross-site scripting (XSS) attacks were possible in the web app.
• File directory traversal was possible in a cloud server.
• User controls device update link.
• Device updates are not signed.
• Device ignores server certificate validity.

If an attacker can intercept traffic to the mobile app by using a compromised or hostile network, they can easily acquire the user password, the researchers warned.

When a victim connects to a compromised/hostile network with a mobile phone, the connected camera app will try to connect to the supplier’s servers over https. The hostile/compromised network will route the connection to the attacker’s server, which will use its own SSL certificate to proxy the communication to the supplier’s server. The attacker’s server now holds an unsalted, MD5 hash of the user password. The attacker can also tamper with the communication between the supplier’s server and the app.

Acquiring credentials from the web app relies on functionality that allows users to share device access to the connected camera with other users. To share a device, the receiver needs to have a valid account with the IoT supplier, and the sender needs to know the receiver’s username, which happens to be an email address. The attacker will then embed an XSS exploit in a device name and then share that device with the victim.

Once the victim logs into his account using the web app, the XSS exploit will execute and share the access token (which is stored as a variable on the web app) with the attacker. With that access token, the attacker can access the victim’s account and all its registered devices.

Through this research, the Barracuda Labs team managed to compromise the internet-connected camera without any direct connection to the device itself.

This makes life easier for attackers, the researchers said. There is no longer any need to scan the Shodan search engine for vulnerable devices because the attack will be performed against the supplier’s infrastructure.

The researchers emphasised that vulnerabilities are not inherent to products, but rather to processes, skills, and the awareness of the developers. As access and access controls for IoT devices shifted to cloud services, so did the vulnerabilities, they said, making possible the types of attack uncovered by the Barracuda Labs team.

According to the researchers, suppliers creating IoT products and services need to protect all aspects of the applications used to run those devices, which include sensors distributed in offices, homes and schools, making them potential entry points for attackers.

The researchers said that a web application firewall – one of the most critical protections IoT suppliers need to put in place – is designed to protect servers from HTTP traffic at layer 7 (the application layer). Manufacturers also need to ramp up protection against network layer attacks and phishing, they said.

Cloud security is also important, the researchers said, because it provides visibility, protection and remediation of IoT applications and the infrastructures they run on. The potential for lateral-movement exposure is large and complex, so taking proper security precautions is key, the researchers said.

When buying an IoT device, the researchers said businesses and consumers need to think about security, as well as convenience and price. They recommend that buyers: