Security researcher Mike Olsen’s recent discovery of a malicious iFrame in the embedded control code of a set of security cameras purchased from Amazon highlights one of the emerging threats to the internet of things: it is relatively easy to poison the consumer supply chain.
Olsen discovered a link to a known malicious domain. Quite correctly he wrote to the supplier and warned that he would have to inform Amazon, with a view to having the product removed from sale. Olsen did not suggest that either Amazon or the supplier were at fault, only that he had found a problem.
But the supplier is adamant the fault is not his. “NONE of our cameras, software or websites have ANY spyware, viruses or anything of that sort,” he told SecurityWeek in a written response. “We utilize three inhouse spyware programs in addition to an external company we hire to perform a scan of our systems on a weekly basis. In addition, out of the 200+ cameras we have sold this year (we are a small business with 3 employees), NONE have had any issues even close to what Mike addresses.”
The Amazon link to the cameras (it has now been removed or changed) was: http://www.amazon.com/Sony-Chip-Camera-1080P-CCTV/dp/B00YMEVSGA.
SecurityWeek asked Sony for a comment on the issue. Sony responded, saying that “The cameras mentioned in the article are not Sony products however they do apparently use Sony components according to the product description, specifically the CMOS sensor chip to capture the image…” So Sony is not involved.
Nevertheless, the malicious code was there. Consider this as an hypothesis: a bad guy buys an IoT device from an Internet supplier; he tampers with it and returns it. Since it is apparently unused, the supplier could, either by accident or practice, return it straight to inventory – and the next customer – who may not have Olsen’s ability to inspect and evaluate code – receives and uses a compromised device.
This may already be happening. We don’t know because existing consumer security is unlikely to detect a compromised iot device. SecurityWeek spoke to Sean Sullivan, a security researcher with F-Secure.
“In this scenario,” said Sullivan, “I don’t think you’d call it ‘malware’. Rather, the firmware of the device has been be altered, probably to include a backdoor. Traditional AV isn’t going to have visibility in this case.”
David Soria, a security engineer with iTrust France, confirmed this view. “What should be highlighted here is that there is a substantial gap between the traditional security tools your average Joe uses and the huge amount of new malware strains being created. While antivirus remains the preferred tool for basic protection, it is limited to perimeter-recognition. What does that mean? Simply put, once an unknown threat makes its way onto your new connected device, there is no way for your antivirus to even recognize its existence.”
Protecting the perimeter remains the only solution. Sullivan added, “A smart router with an intelligent firewall could be an answer. Either by blocking the backdoor connection to a known bad IP, or by limiting the device traffic to a white list that matches the device vendor.”
But while companies would have the technical ability to control their perimeter, consumers typically do not. Only the savviest of home users would be aware of the concept of a perimeter, ‘bad IP lists’, or even what ‘whitelisting’ means. Until such routers and processes can be automated by the manufacturers, consumers are at risk from, potentially, any iot device they buy from any supplier.
While this incident involving IoT cameras may be more of consumer-focused threat, malware has been found targeting businesses using embedded devices in the past. One example was in July 2014, when threat actors were found using sophisticated malware installed on handheld scanners to target shipping and logistics organizations from all over the world. When analyzing the attack, researchers at TrapX traced it back to a Chinese company that provides hardware and software for handheld scanners used by shipping and logistics firms worldwide to inventory the items they’re handling.