Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

IoT Devices Easily Hacked to be Backdoors: Experiment

Many consumer-grade Internet of Things (IoT) products, such as Wi-Fi security web cameras, include security flaws that allow attackers to reprogram them and use them as persistent backdoors, Vectra Networks warns.

Many consumer-grade Internet of Things (IoT) products, such as Wi-Fi security web cameras, include security flaws that allow attackers to reprogram them and use them as persistent backdoors, Vectra Networks warns.

According to the security firm, which focuses on detection of cyber-attacks, insecure IoT devices enable potential attackers to remotely command and control an attack while avoiding detection from traditional security products. By turning an IoT device into a backdoor, attackers gain 24×7 access to an organization’s network without infecting a laptop, workstation or server, which are usually protected by firewalls, intrusion prevention systems and antivirus software.

While such security issues with IoT devices have been widely known for years, Vectra conducted an experiment that again shows the risks associated with adding them to your network.

The Vectra Threat Labs experiment focused on a popular D-Link Wi-Fi camera available for purchase at around $30. The security researchers managed to successfully reprogram it to act as a network backdoor without disrupting its operation as a camera, though the process required physical access to the device.

The researchers explain in a blog post that the reprogramming process started with taking the camera apart and dumping the content of the flash memory chip on the PCB (printed circuit board) for further analysis. The firmware was found to consist of a u-boot and a Linux kernel and image, and the team managed to access the Linux image filesystem.

After further analysys, the researchers decided to include the backdoor in the firmware in the form of a service inside the Linux system, and they went for a simple connect-back Socks proxy.

The team then tested whether they could bring back a telnet socket to an outside host, thus gaining remote persistence to the webcam. Having the webcam acting as a proxy allowed them to send control traffic into the network to advance attacks and explains that an attacker could use the webcam to siphon out stolen data from a company’s network.

However, the researchers also explain that this doesn’t necessarily mean that D-Link’s web camera has a major security issue, but that IoT devices have a high impact on the attack surface of a network. These devices can be hacked relatively easily and, while they do not cost that much, they certainly matter to the security of a network.

Advertisement. Scroll to continue reading.

“Consumer-grade IoT products can be easily manipulated by an attacker, used to steal an organization’s private information, and go undetected by traditional security solutions. While many of these devices are low-value in terms of hard costs, they can affect the security and integrity of the network, and teams need to keep an eye on them to reveal any signs of malicious behavior,” Gunter Ollmann, CSO of Vectra Networks, said.

The security researchers also note that the security vulnerability was brought to D-Link’s attention in early December 2015. However, the tech company hasn’t provided a fix for the issue as of January 7, 2016.

As Rafal Los, director of solutions research and development within the Office of the CISO for Optiv, explains in a SecurityWeek column, many of these IoT devices (even secured and not hacked) are always-on, always connected, which could pose a privacy risk to end-users and a security risk to companies, if they are brought at the office. After all, companies might not have a policy for bringing IoT devices, although they might have BYOD policies in place.

The IoT market is expanding at a fast pace at the moment, and both security researchers and cybercriminals are increasingly focused on finding security flaws in devices that are considered as being part of this segment. The industry joined hands last year and launched the Internet of Things Security Foundation (IoTSF) in September to address concerns regarding the security of IoT devices.

In November 2015, security researchers presented at the DefCamp conference in Bucharest the findings of a study on the firmware of IoT devices, explaining that such firmware images are often susceptible to multiple security flaws because manufacturers do not properly test them for security flaws. Also in November, IT security consultancy SEC Consult revealed that millions of IoT devices use the same cryptographic secrets, which expose them to various malicious attacks.

“Now is a great time to start to think about policy and procedure for the inevitable,” Los said. “As everything imaginable starts to ask for an IP address from your network, make sure you watch ingress and egress points and terminate encryption so you can properly inspect all traffic. What is your policy for things like the Amazon Echo, on your corporate network? Would your network even notice if one of these devices showed up, plugged in and pulled an IP address? Then what?”

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.