The new year isn’t bringing good news about Internet of Things security, as a new report sheds light on a flaw that allows bad actors to take unauthorized control of applications used by the IoT devices.
Researchers at Barracuda Networks did a deep security dive on a popular, connected security camera and found multiple vulnerabilities in the ecosystem of Web and mobile apps that support the camera. Together, the flaws allow a hacker to get into someone’s local IoT network and take control of the camera–and potentially other devices on the network.
“Using these vulnerabilities, the team was able to perform … attacks to acquire credentials and compromise an IoT device, all without a direct connection to the device itself,” according to the report.
Barracuda researchers published a report Thursday on the exploit, calling it “IoT credential compromise.” However, they declined to name the device and its manufacturer to avoid “shaming anyone,” Fleming Shi, CTO of Barracuda told Security Ledger.
“We just want to show how easy these things can be hacked,” he said.
In the report, researchers outline two different ways to acquire user credentials to gain access to the camera. One way was through the mobile application, where the Barracuda researcher intercepted traffic to the mobile app by using a compromised or hostile network to acquire a user password.
The other way outlined in the report relies on functionality that allows users to share device access to the connected camera with other users through a valid account with the IoT vendor. In this scenario, the attacker needs to know the receiver’s username, which happens to be an e-mail address.
Two roads, one destination
In the first scenario, a victim connects to a compromised or hostile network with a mobile phone, and the connected camera application will try to connect to the vendor’s servers over secure http. The hostile or compromised network will route the connection to the attacker’s server, which will use its own SSL certificate and proxy the communication to the vendor’s server.
That allows the attacker’s server to grab an encrypted version of the user password and tamper with the communication between the vendor’s server and the app, researchers said.
In a second scenario, an attacker embeds a cross site scripting exploit in the name of a device then shares that device with the victim.
Once the victim logs into his account using the web app, the exploit embedded in the device name executes and share the access token–which is stored as a variable on the Web app–with the attacker. With the access token, the attacker can access the victim’s account and all its registered devices, researchers said
From pranks to worst-case scenarios
Both methods of attack can result in attackers gaining access not just to one IoT device, but potentially other devices on the network–as well as other devices from other users or connected homes that might also be using the same network, Shi told Security Ledger.
By exploiting the vulnerability, a bad actor can do something as harmless–but terrifying–as sending false video on the camera claiming North Korea has launched ballistic missiles toward the United States, something one creative hacker already did to a family in Orinda, Calif.
But they also can use their access to engage in more sinister and potentially financially damaging activity, Shi warned.
“They also can get on the network and steal information,” he told us. “An IoT device is registered with personal information and data, and if people share passwords between IoT [devices]… attackers could get into people’s bank accounts or [other financial] accounts, for example. It can be really bad.”
Time for manufacturers to get wise
That IoT devices are insecure is not new information. Numerous reports and incidents last year demonstrated the potentially catastrophic insecurity of IoT devices, especially in enterprise situations.
However, despite all of the dire warnings, manufacturers and users of these devices still don’t seem to be doing much to protect them, Shi told us. “The only improvement I see is that we are developing awareness [of the problem]–but partially it’s due to a lot of incidents,” he said.
But awareness, while it’s “very helpful,” does not eliminate the presence of vulnerabilities, and it’s on the backs of manufacturers to start remedying the problem, pronto, Shi said, echoing many other security researchers before him.
“The manufactures really have to step up,” he said. “They need to make sure that whatever they put out there, they realize that’s a surface for hackers.”
Mitigating and patching known vulnerabilities is one way manufacturers can ensure better security for devices, Shi said.
Other ways to better protect IoT networks and devices include establishing trusted relationships between browsers and Web servers through secure certificates, as well as putting up a Web app firewall in front of a server controlling large numbers of IoT devices, he said. “So even if you lose one zone, one house, one camera to a hacker, it shouldn’t penetrate into other houses where the same kind of IoT devices live, Shi explained.
Users also need to take more responsibility for securing their IoT networks at home so attacks don’t reach other network assets by not using the same password for multiple device or Web log-ins, as well as staying abreast of known IoT device vulnerabilities and turning off devices with these exploits until they’re patched, he added.