Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Malicious Code in IoT Device Demonstrates Widespread Potential Risk

Security researcher Mike Olsen’s recent discovery of a malicious iFrame in the embedded control code of a set of security cameras purchased from Amazon highlights one of the emerging threats to the internet of things: it is relatively easy to poison the consumer supply chain.

Security researcher Mike Olsen’s recent discovery of a malicious iFrame in the embedded control code of a set of security cameras purchased from Amazon highlights one of the emerging threats to the internet of things: it is relatively easy to poison the consumer supply chain.

Olsen discovered a link to a known malicious domain. Quite correctly he wrote to the supplier and warned that he would have to inform Amazon, with a view to having the product removed from sale. Olsen did not suggest that either Amazon or the supplier were at fault, only that he had found a problem.

IoT MalwareBut the supplier is adamant the fault is not his. “NONE of our cameras, software or websites have ANY spyware, viruses or anything of that sort,” he told SecurityWeek in a written response. “We utilize three inhouse spyware programs in addition to an external company we hire to perform a scan of our systems on a weekly basis. In addition, out of the 200+ cameras we have sold this year (we are a small business with 3 employees), NONE have had any issues even close to what Mike addresses.”

The Amazon link to the cameras (it has now been removed or changed) was: http://www.amazon.com/Sony-Chip-Camera-1080P-CCTV/dp/B00YMEVSGA.

SecurityWeek asked Sony for a comment on the issue. Sony responded, saying that “The cameras mentioned in the article are not Sony products however they do apparently use Sony components according to the product description, specifically the CMOS sensor chip to capture the image…” So Sony is not involved.

Nevertheless, the malicious code was there. Consider this as an hypothesis: a bad guy buys an IoT device from an Internet supplier; he tampers with it and returns it. Since it is apparently unused, the supplier could, either by accident or practice, return it straight to inventory – and the next customer – who may not have Olsen’s ability to inspect and evaluate code – receives and uses a compromised device.

This may already be happening. We don’t know because existing consumer security is unlikely to detect a compromised iot device. SecurityWeek spoke to Sean Sullivan, a security researcher with F-Secure

“In this scenario,” said Sullivan, “I don’t think you’d call it ‘malware’. Rather, the firmware of the device has been be altered, probably to include a backdoor. Traditional AV isn’t going to have visibility in this case.”

David Soria, a security engineer with iTrust France, confirmed this view. “What should be highlighted here is that there is a substantial gap between the traditional security tools your average Joe uses and the huge amount of new malware strains being created. While antivirus remains the preferred tool for basic protection, it is limited to perimeter-recognition. What does that mean? Simply put, once an unknown threat makes its way onto your new connected device, there is no way for your antivirus to even recognize its existence.”

Protecting the perimeter remains the only solution. Sullivan added, “A smart router with an intelligent firewall could be an answer. Either by blocking the backdoor connection to a known bad IP, or by limiting the device traffic to a white list that matches the device vendor.”

But while companies would have the technical ability to control their perimeter, consumers typically do not. Only the savviest of home users would be aware of the concept of a perimeter, ‘bad IP lists’, or even what ‘whitelisting’ means. Until such routers and processes can be automated by the manufacturers, consumers are at risk from, potentially, any iot device they buy from any supplier.

While this incident involving IoT cameras may be more of consumer-focused threat, malware has been found targeting businesses using embedded devices in the past. One example was in July 2014, when threat actors were found using sophisticated malware installed on handheld scanners to target shipping and logistics organizations from all over the world. When analyzing the attack, researchers at TrapX traced it back to a Chinese company that provides hardware and software for handheld scanners used by shipping and logistics firms worldwide to inventory the items they’re handling.

Related Reading: Hackers Attack Shipping and Logistics Firms Using Malware-Laden Handheld Scanners

RelatedDon’t Forget to Manage Supply Chain Risk

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.