09 December 2014

Hacking the IoT: Let’s Take Over a House Part II


In my last post I talked a bit about how seemingly trivial vulnerabilities can have severe consequences in the Internet-of-Things.  When we left off, the attacker had managed to exploit that vulnerability to gain access to thousands of WidgetCo home automation products.  Pretty creepy stuff when you know someone is watching you in your own home, but things can get worse.  To understand why, let’s think about the average home network.

Most people’s houses have a cable or DSL modem, a Wi-Fi router and an assortment of devices from phones to laptops to cameras and the like.  And like so many enjoyable things in life those networks tend to be crunchy on the outside and soft in the middle.  That is, most protections are at the border- once you’re on the local network you’re treated like family.  As an example, many Wi-Fi routers block login attempts from the wild Internet- you can only configure them if you’re in the home network.  Now for an attacker, that router is the crown jewels- owning it means being able to intercept and manipulate a whole bunch of stuff, but we’re getting ahead of ourselves.

Going back to that WidgetCo device our guy hacked, he has just found something interesting:  Using the firmware update feature, he can…wait for it…update the device’s firmware:


When you update (okay, if you ever update) firmware on your devices, you may see a page like the above.  You download the latest and greatest, click the button and go do something else while it does its thing.  The attacker does the same thing, but he adds a little something to the mix before clicking update.

Take a look below at the directory on the device that controls what processes and services to start when the device boots up.  Spot the difference in the before and after pics?


That little extra bit he put in there turns the Widget from a fun consumer devices to a remote login platform for a hacker.  What’s worse, while you may have firewall rules in place to block inbound connections from the Internet, his implant will make your device phone home to him.  All the inbound firewalls will by bypassed, and chances are he’ll have the same level of network access as he would if he’d been invited over and given the Wi-Fi password.

The first thing he’s likely to do with that access is target your router.  Maybe he’ll get lucky and the password was never changed from the default, or maybe he has to do a bit of digging.  Either way, in most cases, it’s pretty much just a matter of time before he’s in.

Once an attacker has control of a victim’s Internet access, it’s game over.  He can redirect web browsing wherever he likes, so the victim can wind up with nasty malware pretty quickly.  That’ll be used to steal everything from banking to Facebook passwords.  If you find the malware and clean it out, his persistent access to your router will allow him to just reinfect you again.  That’s a pretty high price to pay for a cheap IoT device.

So what can be done from a consumer’s perspective?  When it comes to keeping yourself safe(r) from stranger danger like this, remember it’s a numbers game.  Our attacker wasn’t looking to hack you- he was looking to hack as many people as he could.  Put differently, he was vulnerability-centric rather than target-centric.  It wouldn’t have been worth his time to go after folks with hard-to-guess passwords. It’s also a good idea to stick with devices that use sound firmware management policies, but more on that in an upcoming post from the labs team.