17 November 2014

Hacking the IoT: Let’s Take Over a House


There’s going to be some big spending in the coming months, and a lot of those dollars will go toward “Internet of Things” (IoT) devices.  We all love to give and get the coolest new toys, but do we really understand what we’re doing when we bring them into our house?  What are the potential side effects when our TVs, light bulbs and refrigerators are Internet-enabled?

To get an answer, let’s take on the role of a hypothetical hacker- someone who doesn’t just plug-and-play their latest toy, but is curious about how it works.

Our hacker got the newest smart home IoT device from Acme Widget Company this year, and he loves it.  He can see the temperature of his house, watch video feeds, and even monitor his appliances.  He also noticed it has a web interface so he can check on it from work by visiting a special URL tied to the serial number of his device:



But huh…that’s funny.  The serial number is only a letter and five numbers.  That’s just 26 letters * 99,999 numbers…about 2.6 million possible URLs for the non-mathletes out there.  It’s probably more than you’d want to check out by hand, but hey- that’s what scripts are for:


So our hacker’s script has paid off- he now has a list of all 129,497 Widgets on the Internet, and he can hit their login pages.  But what to do with this?  Running a brute force attack against just one Widget would mean trying hundreds of thousands of passwords, and it probably wouldn’t work.  A smarter way would be to try just the most common passwords against every one of those Widgets.  After all those passwords are common because people use them a lot, right?


It’s called a horizontal password guessing attack, and another little bit of scripting makes short work of it.  A few hours later chances are our hacker now owns 3-5% of the Widgets on the Internet- conservatively that’s 4,000 Widget IoT devices with less than a day’s effort.  Enumeration-based attacks like this are behind some of the big headline breaches because they’re simple to perform and consistently successful.  That snapchat hack where they published a list of 4.6M user names?  Same principle, but even easier to execute.  Same thing with the Adobe one that leaked 2.9M accounts.  Even the 73K “private” cameras being streamed to a Russian site was done the same way.

Our labs team is doing some really interesting work in this area- you’ll see a blog post from them soon.  And in my next post we’ll see what happens when the hacker isn’t satisfied with defrosting your fridge or watching you sleep, and starts using your device to launch attacks against you.

 So, uh…what’s plugged in at your house?