Are your IoT Devices exposing you to Hackers?

By:  |  Category: Blog, Security Thursday, December 28th, 2017  |  No Comments

Most likely Christmas brought you a few nifty gifts under the tree, but for some folks it may have also introduced  bizarre sounds into their home. Creaking doors, babies crying, moans and groans not coming from their family–sound familiar? Fortunately, you probably aren’t going nuts, but your spanking new Bose and Sonos devices may have been compromised by audio hackers commandeering your devices.

Trend Micro released a new study called “The Sound of a Targeted Attack”, and tested popular IoT device’s (many given as gifts this Christmas) to determine their vulnerabilities. Trend discovered  that some models of Sonos and Bose speakers-including the Sonos  One and Bose Sound Touch Systems are accessible online by a pinpointed scan that exposes user data along with other pertinent information that can be used in an attack.

After the tests, Trend reached out to Sonos, which responded quickly to fix the security gaps. The gaps addressed include a denial-of-service (DoS) bug which now returns an HTTP error code 412 (Precondition failed). Trend also reached out to Bose and are currently waiting for their response.

Where earlier studies focused on seizing control of speakers like the Amazon Echo and Google Home, the results of the new research led to unique findings. These include security gaps that resulted from a simple open port that gave anyone on the internet access to the device and user information. The first big security concern was access to email addresses that are linked to music streaming services synced with the device. Another was access to a list of devices as well as shared folders that were on the same network as the test device. Trend also got BSSID information that, paired with an existing API that queries specific BSSIDs, gave them the approximate location of access points used by the test unit. And lastly, they were able to see the device’s activities, such as current songs being played, control the device remotely, as well as play music through URI paths.

The implications of these gaps go beyond the loss of device control. Internet-connected speakers — and in turn, IoT devices — may be exposing information that can be used by attackers in malicious schemes. By first breaking into the case test device, a Sonos Play:1 speaker, to spot security issues, Trend was able to come up with plausible attack scenario that can be used not just against home users but also against enterprise networks. And while the test unit used was an internet-connected speaker, similar issues in other IoT devices can exist and give attackers the same upper hand.

Prerequisites for an Attack on IoT Devices

Regardless of the target IoT device, attackers make use of several elements when launching an attack. In any scenario, an attacker will utilize information that is accessible as well as exploitable.

Exposed device — As shown in Trend’s research on hacking industrial robots and exposed devices in U.S. and Western European cities, an attacker can look for exposed devices over the internet through search engines like Shodan. At the time of the study, they were able to see around 4,000 to 5,000 exposed Sonos speakers.

Existing insecurity — A device may have a security lapse that gives an attacker something to take advantage of. This may come in the form of a lack of authentication process, an unpatched vulnerability, or information leakage from an external source. For the test unit, it was its open access to user information, among other things.

Exploitable device capabilities – Given that IoT devices vary in form and function, certain devices may have unique capabilities which attackers can exploit. In the case of an internet-connected speaker, the attacker could utilize the ability to play music from an online source.

Publicly available personally identifiable information (PII) – These can come from legitimate sources such as online search tools or social media, as well as from data breach information made public. In the case study, Trend found 727 unique email addresses that could be loaded into open source intelligence tools such as Maltego. They also saw several email accounts connected to previously reported breaches such as River City Media, LinkedIn, and last.fm.

Attack Scenarios:
Using the above attack prerequisites found in the case study, Trend was able to formulate specific attack scenarios utilizing the internet-connected speakers.
An attacker can send a customized phishing email based on the target’s musical preference.

Through an Nmap scan, Trend observed that the application running the Sonos Play:1 test device communicated with TCP/1400. Following that led them to an unauthenticated URI page.

Aside from finding an entry point, an attacker could use the exposed information for spear-phishing. By studying the target’s musical preference based on the tracks being played, an attacker can tailor-fit an email and send it to the email address linked to the target’s music streaming account. This increases the success rate of schemes to compromise businesses too.

In a way, any IoT device which leaks personal or network information can give an attacker leverage for a successful attack. An attacker can track down where the target lives and find out if they’re home.

This can be done using a website that compounds multiple sources of Wi-Fi geolocation. After determining the location of the target, an attacker can monitor the presence data available from the device, such as the times when the speaker is activated and deactivated. The pattern can more or less tell the attacker when the target is awake, asleep, or even when the target is not around.

This hybrid attack involving cyber and physical elements presents new dangers that home and enterprise users should be aware of. Devices leaking presence data not only make users easier to predict — they can also put the user at physical risk.

An attacker can play a fake recorded message and trick the target into downloading malware.

Using information found on the URI path like model numbers and serial numbers, an attacker can disrupt the user’s device, halt any song currently playing, and play a crafted status message containing misleading information. Similar to the first attack scenario, an attacker could then send tailor-fit emails to accounts tied to the music streaming applications. This time, the email could contain a fake message from the manufacturer along with a link that downloads malware instead of a software update. To make the email more believable, the attacker can search the target’s email address against online search tools that can locate people based off of public information, and add personalized details to the pre-recorded message. This scheme poses great risk to businesses that use internet-connected speakers or have Bring Your Own Device (BYOD) programs.

With a different IoT device, attackers can get creative and exploit other functions. Imagine what they could do if they had access to security cameras, a router, the thermostat, or even a FitBit.

Risky Business
Assuming that an IoT device inherently protects a user’s personal information and is safe to introduce to a network is risky. Cybercriminals will soon be exploring new ways to abuse IoT devices. As the production and consumption of IoT devices increase, the lack of built-in security becomes more and more of an issue. With all these devices connected to each other via networks and the internet, it could take just one security gap to compromise a user – or an entire network. From exposed features that could be exploited to devices leaking personal information on the internet, product insecurities have led to attacks and will continue to do so.

One of the more recent security incidents involved brands of smartwatches for children. They were found to have vulnerabilities that can allow attackers to track the wearer’s movement, eavesdrop on conversations, and communicate with the wearer. This shows that even popular devices can fall short or leave massive gaps in terms of ensuring their products’ security.

The problem of unsecured internet-connected devices is not limited to home users but also extends to workplace environments when seemingly safe IoT devices are introduced into the company network, as was shown in the attack scenarios. Whether these devices are installed to improve productivity or are simply brought to work by employees, the risk of having an exposed and unsecured device should not be taken lightly.

Protecting Against IoT Insecurities
Given that IoT devices need to be connected to the internet, manufacturers have to ascertain that what they produce poses very minimal risk to the buying public. With all the information fed to internet-connected devices, it is considerably difficult for users to know if these are protected properly by the built-in security that comes with the product. Although consumers are also tasked to employ proper security practices on their end (like applying fixes), manufacturers should also make sure that what they produce pose little to no security risk to their customers.

  1. While IoT devices are connected to the internet, they should never be exposed. In the case of the test device, manufacturers should make sure that ports connecting to the devices cannot be accessed directly from the internet. Manufacturers should also secure data that’s being stored or compiled by these IoT devices and conduct security audits — including regularly reading public forums discussing their products.
  2.  Users should check their routers for rules that might provide outside access to devices and folders on the network. If access is needed, it should be limited to as few devices as possible. They should enable password protection on all devices if possible and replace default passwords immediately with stronger ones.
  3. Users can also visit websites like WhatsMyIP to scan their network for any open ports. They should also make sure that the firmware of their IoT devices is updated as well. Businesses with BYOD programs must be aware of what internet-connected devices are being used by employees at work and ensure security guidelines are provided.

As we move to a more internet-connected world, manufacturers, consumers, and IT administrators must exercise a security-first mindset. With all the personal data managed and kept by IoT devices, securing them should be just as important as ease of use and integration with applications that run them.


Source image: https://www.pexels.com/photo/arrows-box-business-chalk-533189/

Leave a Comment
Read previous post:
AI Security A Huge Concern

Worried about AI? You aren't alone. A new panel by Webroot shows that 86% of security professionals are concerned that...