Many consumer-grade Internet of Things (IoT) products, such as Wi-Fi security web cameras, include security flaws that allow attackers to reprogram them and use them as persistent backdoors, Vectra Networks warns.
According to the security firm, which focuses on detection of cyber-attacks, insecure IoT devices enable potential attackers to remotely command and control an attack while avoiding detection from traditional security products. By turning an IoT device into a backdoor, attackers gain 24x7 access to an organization’s network without infecting a laptop, workstation or server, which are usually protected by firewalls, intrusion prevention systems and antivirus software.
While such security issues with IoT devices have been widely known for years, Vectra conducted an experiment that again shows the risks associated with adding them to your network.
The Vectra Threat Labs experiment focused on a popular D-Link Wi-Fi camera available for purchase at around $30. The security researchers managed to successfully reprogram it to act as a network backdoor without disrupting its operation as a camera, though the process required physical access to the device.
The researchers explain in a blog post that the reprogramming process started with taking the camera apart and dumping the content of the flash memory chip on the PCB (printed circuit board) for further analysis. The firmware was found to consist of a u-boot and a Linux kernel and image, and the team managed to access the Linux image filesystem.
After further analysys, the researchers decided to include the backdoor in the firmware in the form of a service inside the Linux system, and they went for a simple connect-back Socks proxy.
The team then tested whether they could bring back a telnet socket to an outside host, thus gaining remote persistence to the webcam. Having the webcam acting as a proxy allowed them to send control traffic into the network to advance attacks and explains that an attacker could use the webcam to siphon out stolen data from a company’s network.
However, the researchers also explain that this doesn’t necessarily mean that D-Link's web camera has a major security issue, but that IoT devices have a high impact on the attack surface of a network. These devices can be hacked relatively easily and, while they do not cost that much, they certainly matter to the security of a network.
“Consumer-grade IoT products can be easily manipulated by an attacker, used to steal an organization’s private information, and go undetected by traditional security solutions. While many of these devices are low-value in terms of hard costs, they can affect the security and integrity of the network, and teams need to keep an eye on them to reveal any signs of malicious behavior,” Gunter Ollmann, CSO of Vectra Networks, said.
The security researchers also note that the security vulnerability was brought to D-Link’s attention in early December 2015. However, the tech company hasn’t provided a fix for the issue as of January 7, 2016.
As Rafal Los, director of solutions research and development within the Office of the CISO for Optiv, explains in a SecurityWeek column, many of these IoT devices (even secured and not hacked) are always-on, always connected, which could pose a privacy risk to end-users and a security risk to companies, if they are brought at the office. After all, companies might not have a policy for bringing IoT devices, although they might have BYOD policies in place.
The IoT market is expanding at a fast pace at the moment, and both security researchers and cybercriminals are increasingly focused on finding security flaws in devices that are considered as being part of this segment. The industry joined hands last year and launched the Internet of Things Security Foundation (IoTSF) in September to address concerns regarding the security of IoT devices.
In November 2015, security researchers presented at the DefCamp conference in Bucharest the findings of a study on the firmware of IoT devices, explaining that such firmware images are often susceptible to multiple security flaws because manufacturers do not properly test them for security flaws. Also in November, IT security consultancy SEC Consult revealed that millions of IoT devices use the same cryptographic secrets, which expose them to various malicious attacks.
“Now is a great time to start to think about policy and procedure for the inevitable,” Los said. “As everything imaginable starts to ask for an IP address from your network, make sure you watch ingress and egress points and terminate encryption so you can properly inspect all traffic. What is your policy for things like the Amazon Echo, on your corporate network? Would your network even notice if one of these devices showed up, plugged in and pulled an IP address? Then what?”