November 5, 2015

More connected, less secure: how we probed IoT for vulnerabilities

News Security Threats

A year ago our colleague David Jacoby, a researcher at GReAT, successfully attempted to hack his own home and discovered a lot of curious things. David’s experiment inspired many Kaspersky Lab employees around the world. Many employees decided to carry out the same research on their own homes.

Surviving Internet of threats

To probe smart things for bugs, we chose several popular Internet of Things devices (IoT), such as Google Chromecast (a USB dongle for video streaming), an IP camera and a smart coffee machine and a home security system – all of which could be controlled by a smartphone or mobile app. The models and devices were chosen at random and was quite vendor agnostic.

Our experiment proved that ALL of these objects were hackable or could be easily compromised and used to do a hacker’s bidding. We have reported the vulnerabilities to respective vendors. By now, some of the products were patched. Others remained vulnerable.

Chromecast

The creators of Google Chromecast missed a bug, which could allow a hypothetical hacker to broadcast his own TV ‘programs’ – this could be anything from advertisements to scary movies or weird pictures. Once the attacker understands how to get into your device, they can continue to manipulate the experience. This can continue for as long as they want, or until the user buys a new dongle or switches back to cable.

Vulnerable USB dongle

If the hacker were armed with a directional antenna, he could interrupt your favorite program at an inopportune time without having to be close by – making them hard to catch. This vulnerability in Chromecast has been there for ages and still remains unpatched.

IP Camera

The IP camera that we decided to test was actually a baby monitor managed via smartphone. By the way, such devices have been hacked as early as 2013 and continue to be exploited. The model we chose for our experiment was produced in 2015, yet we managed to find a couple of bugs.

Vulnerable IP camera

By tampering with a default baby monitor app, hackers could gain access to email addresses of all of the company’s clients. Since the majority of the camera owners are parents, such a comprehensive database would be a real treat for phishers launching a targeted campaign.

A couple of other flaws allowed our researchers to gain full control over the camera: this allows for someone to see and hear everything happening in a room, play an arbitrary audio file on the device or get root access and modify the camera’s software, meaning to become the sole ruler of this small ‘smart’ thing. We reported the vulnerabilities to the vendor and helped to work on respective patches.

Cup of Joe

Well, the means of messing with our lives and comfort through Chromecast dongles and baby monitors are relatively straightforward. But what’s wrong with the coffee machine? It happens so that this kitchen device might be a great means of spying on you, letting you home Wi-Fi password slip.

Vulnerable coffee-maker

Surprisingly, the problem happened to be very challenging to fix, so the vendor still hasn’t managed to patch the bug. The situation is not that grave, though: the temporary window of opportunity for a hacker lasts mere minutes. However, the problem remains even if you change the Wi-Fi password – the coffee machine will gladly give away the password over and over again.

Home Security

The smart home security system also lost this fight. Curiously our expertise did not help here – in fact, it was knowledge of basic physics that made it happen. The system employs special sensors to monitor the magnetic field, which is generated by the built-in magnet in the lock. Once a burglar opens a window or a door, this magnetic field is disturbed and the sensor sends the alert all along the chain.

Vulnerable cloud alarm

But one can use a simple magnet to preserve the magnetic field even if the door or the window are open, and thus break into the house. This is a problem that is widely acknowledged, since similar sensors are used in many popular security systems. Moreover, a patch would not help to battle the issue – the very approach should change fundamentally.

Speaking of software, this system was absolutely capable of resisting cyberattacks or burglars who did bad in their physics class in a high school.

The detailed record of our quest for vulnerabilities and interactions with the vendors can be found here on Securelist.

To minimize the risks and make your home more secure, please follow our recommendations:

— When choosing which aspect of your life you are looking to make ‘smart.’ think along the ‘security first’ line. Do you have a lot of valuables at home? Then make the home security system redundant, complementing a fancy smartphone-managed anti-burglar system with a traditional wired alarm. Are you going to use a device, which would get access to your family’s private life (like baby monitors)? Just think of simple models, which transmit sound over radio frequencies and not via an IP network.

— If the above approach does not suit you, pick smart devices accurately. Before going to the store, conduct an online research on the device you are looking for paying particular attention to relevant news about bugs and patches.

— Don’t buy the latest model. Usually, a brand new gadget comes with bugs yet to be discovered by researchers. Try to choose a device with a proven reputation.