Businesses and consumers have a right to know the security posture of devices connected to the internet making up the internet of things (IoT) – and manufacturers should be held accountable.
That is the view of security researchers at Barracuda Networks who examined an internet-connected security camera to illustrate the growing security threat of IoT credential compromise.
The study shows that vulnerabilities in the web and mobile applications of IoT devices can be exploited to steal credentials and compromise the associated devices.
Without any direct connection to the device itself, the team was able to identify multiple vulnerabilities in the camera’s web app and mobile app ecosystem.
This threat could affect other types of IoT devices, the researchers said, because it takes advantage of the way the device communicates with the cloud.
For this reasons, Barracuda believes IoT products should be scored constantly and their security posture be published in the same way as motor vehicle safety ratings are, to enable businesses and consumers to make informed decisions when choosing products.
The researchers note that although improvements have been made in response to concerns about the security risks of IoT devices, vulnerabilities remain.
In particular, the Barracuda Labs team highlighted the threat of IoT credential compromise by showing that attackers could use vulnerabilities in the web applications and mobile applications used by certain IoT devices to acquire credentials, which can then be used to view the video feed, set/receive/delete alarms, remove saved video clips from cloud storage, and read account information.
Attackers can also use the credentials to push their own firmware update to the device, changing its functionality and using the compromised device to attack other devices on the same network.
The main vulnerabilities identified by the researchers included:
- Mobile app ignored server certificate validity.
- Cross-site scripting (XSS) attacks were possible in the web app.
- File directory traversal was possible in a cloud server.
- User controls device update link.
- Device updates are not signed.
- Device ignores server certificate validity.
If an attacker can intercept traffic to the mobile app by using a compromised or hostile network, they can easily acquire the user password, the researchers warned.
When a victim connects to a compromised/hostile network with a mobile phone, the connected camera app will try to connect to the supplier’s servers over https. The hostile/compromised network will route the connection to the attacker’s server, which will use its own SSL certificate to proxy the communication to the supplier’s server. The attacker’s server now holds an unsalted, MD5 hash of the user password. The attacker can also tamper with the communication between the supplier’s server and the app.
Acquiring credentials from the web app relies on functionality that allows users to share device access to the connected camera with other users. To share a device, the receiver needs to have a valid account with the IoT supplier, and the sender needs to know the receiver’s username, which happens to be an email address. The attacker will then embed an XSS exploit in a device name and then share that device with the victim.
Once the victim logs into his account using the web app, the XSS exploit will execute and share the access token (which is stored as a variable on the web app) with the attacker. With that access token, the attacker can access the victim’s account and all its registered devices.
Through this research, the Barracuda Labs team managed to compromise the internet-connected camera without any direct connection to the device itself.
This makes life easier for attackers, the researchers said. There is no longer any need to scan the Shodan search engine for vulnerable devices because the attack will be performed against the supplier’s infrastructure.
The researchers emphasised that vulnerabilities are not inherent to products, but rather to processes, skills, and the awareness of the developers. As access and access controls for IoT devices shifted to cloud services, so did the vulnerabilities, they said, making possible the types of attack uncovered by the Barracuda Labs team.
According to the researchers, suppliers creating IoT products and services need to protect all aspects of the applications used to run those devices, which include sensors distributed in offices, homes and schools, making them potential entry points for attackers.
The researchers said that a web application firewall – one of the most critical protections IoT suppliers need to put in place – is designed to protect servers from HTTP traffic at layer 7 (the application layer). Manufacturers also need to ramp up protection against network layer attacks and phishing, they said.
Cloud security is also important, the researchers said, because it provides visibility, protection and remediation of IoT applications and the infrastructures they run on. The potential for lateral-movement exposure is large and complex, so taking proper security precautions is key, the researchers said.
When buying an IoT device, the researchers said businesses and consumers need to think about security, as well as convenience and price. They recommend that buyers:
Research the device manufacturer
A few companies that produce IoT devices understand software security. Most are either existing companies whose expertise lies in making the physical products that are being connected, or startups trying to bring devices to market as quickly as possible. In both cases, proper software and network security measures are often overlooked, the researchers said.
Look for existing vulnerabilities in a supplier’s other devices
If one device has a vulnerability, the researchers said it is likely other devices with similar features from the same company are also vulnerable. Ultimately, a supplier that has a history of secure devices is likely to build secure devices going forward.
Evaluate responses to past vulnerabilities
If a supplier is responsive to people reporting a vulnerability and quickly resolves it with a firmware update, it bodes well for its outlook on security and future products it makes, the researchers said.
They note that, unfortunately, the amount of information available about the security posture of IoT devices is astonishingly low. “Ideally, we need to get a world where IoT products are all scored with a safety rating,” they said.
Underlining the IoT secury risk to business, digital security firm Gemalto published a survey earlier this month showing that only 48% of European firms can detect when any of their internet-connected devices have been breached. In the UK, this figure drops to 42%, the second lowest in Europe after France, where only 36% of companies polled said they can detect if any of their IoT devices suffers a breach.
Commenting on the survey findings, Jason Hart, CTO of data protection at Gemalto, said that with no consistent regulation guiding the industry, it is no surprise that the threats and the vulnerability of businesses are increasing.
“This will only continue unless governments step in now to help industry avoid losing control,” he said, adding that although the UK’s new Code of Practice is a good first step toward securing the IoT, it will not be truly effective until these are made mandatory and all organisations are forced to adhere to them.
In November 2018, IoT security researcher Ken Munro also called for government action at the EEMA ISSE 2018 cyber security conference in Brussels.
Like Hart, he said the UK Code of Practice is a good start, but Munro believes there is still a long way to go and he would like to see some basic regulation.