Black Box Device Research reveals Pitiful State of Internet of Things Security

Internet of Things insecurity is worse than you think, according to a team of researchers who reverse engineered a series of Internet of Things devices and found them even easier to hack and exploit than believed.

Security researchers in Israel have taken a good look under the hood of a number of connected devices to find out just how serious their security flaws are. The result? Internet of Things (IoT) devices are even easier to hack than anyone believed.

A team of info-security engineers from the Ben-Gurion University (BGU) of the Negev in Israel used everything from screwdrivers to password-cracking software to logic software to take apart and test so-called “smart” devices, including baby monitors, home security cameras, doorbells and thermostats.

What they found is stuff out of a Hollywood thriller, with devices that could be easily compromised and co-opted to do unexpected and potentially invasive things, said Yossi Oren, a senior lecturer in BGU’s Department of Software and Information Systems Engineering.

Furby Connect
Furby Connect – just one of many insecure, connected toys sold to the public. The UK government is proposing to shift more responsibility to manufacturers.

“Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products,” he said in a statement about the research. “It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices.”

Indeed, the research shows that “while IoT security causes great concern, it is still not being dealt with properly by many manufacturers,” Omer Shvartz, a Ph.D. student and member of Oren’s lab, told Security Ledger.

Peering under the hood

Oren, Shvartz and their team at BGU set out to analyze the practical security level of 16 popular, off-the-shelf IoT devices from high-end and low-end manufacturers, they report in a paper about their efforts. The team used various low-cost techniques for reverse engineering these devices, including software- and fault injection-based techniques for bypassing password protection. The researchers adopted a “black box” approach to testing, with no prior knowledge of how the IoT devices were constructed.

Still, using their methods, the team managed to recover device firmware and passwords, as well as discover a number of common design flaws that showed them previously unknown vulnerabilities, Shvartz said. They also were able to logon to entire Wi-Fi networks simply by retrieving the password stored in a device to gain network access.

“Most of our research was aimed at showing how easy it is to discover insecure properties of IoT devices,” he said. “During our evaluation we did, however, stumble across a worrying amount of vulnerabilities, critical security faults and data-safety issues.”

For example, the team was able to crack the default passwords for 12 of 16 devices and used them to create their own, isolated Mirai-style botnet, he said.

IoT devices hacking already a reality

Other researchers’ examination of IoT devices have already demonstrated the type of activities the BGU team uncovered in its work. Security researchers at Kaspersky Lab also revealed Tuesday that they uncovered a series of security vulnerabilities in a range of popular smart cameras that leaves them vulnerable to hackers.

Specifically, flaws in some cameras manufactured by South Korean firm Hanwha Techwin could allow attackers to access live video and audio feeds, and remotely get root access to the camera–potentially gaining access to the rest of the network. Kaspersky identified almost 2,000 vulnerable cameras that are accessible via public IP addresses on the open Internet.

[You might also like: New Rapidly-Spreading Hide and Seek IoT Botnet Identified by Bitdefender]

This scenario became reality in Israel recently, where hackers broke into an IoT security camera and leaked videos of a celebrity trying on clothes in a store’s warehouse, Shvart said.

The team was easily able to create similarly styled hacks in its research, he told us. For example, researchers discovered that a doorbell used in an office building nearby had a weak password. Using reverse-engineering techniques, they were able to access it remotely to enable an unauthorized person to enter the building, Shvartz said.

Buyer beware

The research from the team is not surprising, given numerous reports about the persistent lack of IoT device security. Worryingly, though, it shows that manufacturers still aren’t yet doing their due diligence to protect the security of IoT devices, and need to get on the task, Shvartz said.

“I think most devices are not designed with security in mind,” he said. “I believe that manufacturers should take security seriously and have a security team or person involved in the design and implementation stage of every new IoT product.”

Some steps manufacturers can take immediately include ending the use of easy, hard-coded passwords, disabling remote-access capabilities, and making it harder to get information from shared ports.

In the meantime, the team advised that people installing smart devices and IoT networks should be wary when choosing their products, and do their own investigation of a product before putting anything in place, Shvartz said.

[You might also like: NIST Floats Internet of Things Cybersecurity Standards]

“We recommend buying well-known products with support from reputable vendors and doing research on the security of the device that is purchased,” he said.

The BGU team also advises avoiding used IoT devices that could already contain malware, creating strong passwords with a minimum of 16 characters, avoiding the use of shared passwords on multiple devices, and regular software updates to help protect smart, connected devices.

Spread the word!

One Comment

  1. Pingback: Podcast Episode 90: WannaCry zombie haunts Boeing, UL tests for cyber security and Harvard war games election hacking | The Security Ledger

Leave a Comment

Your email address will not be published.