“Smart” house in terms of vulnerability: we deal with vectors and attack mechanics
While visionaries of various sizes, scriptwriters of dystopian films and hi-tech TV series and other inventors and alarmists draw various degrees of persuasiveness about the uprising of “smart” devices or the use of a smart home as a weapon of murder or terrorism, cybersecurity experts and hackers are entering a new line of contact . And we are talking about real and already (relatively) massively used devices, real vulnerabilities in them and real, tried and tested ways to use these vulnerabilities for evil purposes. That’s why and how.
A couple of years ago, at the University of Michigan, they conducted a study of a model “smart” home, during which 18 different devices were installed and connected to the Internet: a bed, lamps, locks, a TV, a coffee maker, a toothbrush, and more. One of the main objectives of the study was to identify the main vulnerabilities of intelligent home control systems. In particular, we tested products of the company with the speaking name SmartThings.
After carrying out many heterogeneous attacks on the devices of this “smart” home, experts recorded two main types of vulnerabilities: excessive permissions and unsafe messages.
In terms of excesspermissions or rights revealed quite strange and unacceptable things: about half of the installed applications have access to much more data and features than is necessary. In addition, when interacting with physical devices, applications exchanged messages that contained confidential information.
So, the application for controlling the charge level of the automatic lock also received a PIN code to unlock it. The software of some smart devices generated messages similar to real signals from physical devices. This approach gave attackers the ability to transmit false information to the network. As a result, the user, for example, could be sure that the door is locked and that it is actually open. This approach gave attackers the ability to transmit false information to the network. As a result, the user, for example, could be sure that the door is locked and that it is actually open.
In addition to excessive permissions and unsafe messages, another significant problem has been revealed - the transfer of confidential information to company servers,engaged in the technical support of these devices. That is, gadgets “followed” their hosts, sending information about their interactions with devices to the server every minute. Thanks to this information, you can restore the exact daily routine of the residents - when they woke up, they brushed their teeth, how many and which television channels they watched. For two months of researching that “smart” home, there was not a single minute of silence in the digital air. By the way, the Amazon Echo speaker is the most “phonon” of data transfer, which is quite symbolic.
Not without classics in the field of information security - backdoors.Often, developers leave for themselves a “back door”, which allows you to get full access or control over the device. Manufacturers are justified by the need to provide technical support to users, however, such creation of such intentionally created vulnerabilities is contrary to information protection practices and is a real vulnerability. The fact that almost all software manufacturers sin with this is confirmed by the following fact - at a Hope X conference, IT security expert Jonathan Zdziarski announced the presence of a backdoor in the iOS operating system, which Apple itself recognized, but called it a “diagnostic tool” ".
Obviously, many, if not all, manufacturers and components of the "smart" home leave a "back door" for themselves. Therefore, this is a potential security hole in the entire “smart” home, to any devices of which the attacker has the potential to connect.
As you can see, there are enough vulnerabilities at the hardware level or at the software level. Now let's look at how its individual components suffer from the hands of hackers.
Smart Lock Attacks
The fact that a closed door can be opened not only with a key, but, for example, using a code or a Bluetooth signal from a telephone, is no longer surprising, and many are already taking advantage of this opportunity.
But are smart locks so safe and capable of withstanding tampering as their manufacturers promise? What will happen when professional hackers take up the test of their obstruction? But here : a few years ago at the DEF CON 24 hacker conference, researchers Anthony Rose and Ben Ramsey of Merculite Security described how they attacked sixteen smart-lock models as part of an experiment. The result was pretty disappointing: only four could resist the hack.
The locks of some vendors transmitted access passwords openly, in unencrypted form. So attackers could easily intercept them using a Bluetooth sniffer. Several locks came across the method of repeated playback: the door could be manipulated using pre-recorded signals of the corresponding commands.
In the light of the spread of all kinds of voice assistants, breaking the smart lock through voice commands is becoming increasingly relevant. A few years ago it turned out , for example, that if the home gadget is close enough to the closed door, then saying “Hello, Siri, open the door” quite loudly through the door, they might let you in.
A common hacking scenario for most “smart” locks is the following: when an outsider gets physical access to the lock by pressing the buttons on it, you can authorize any gadgets.
Another interesting experimentresearchers from Pen Test Partners was dedicated to checking the security of Tapplock locks. As it turned out, they can be unlocked without the fingerprint of the owner. The fact is that unlock codes are generated based on the MAC address of the device in the BLE network. And since the address is converted using the outdated MD5 algorithm, it can easily be figured out. Since Bluetooth locks have the ability to disclose their MAC addresses by BLE, an attacker is able to find out the address, “hack” it using the MD5 vulnerability and get a hash to unlock the lock.
But Tapplock 's vulnerabilities do not end there. It turned out that the company’s API server was disclosing confidential user data.. Any outsider can learn not only about the location of the castle, but also unlock it. To do this is quite simple: you need to create an account on Tapplock, take the victim's account ID, go through authentication and take control of the device. At the same time, at the back-end level, the manufacturer does not use HTTPS. And you don’t even need any hacking or the need to brute force, because ID numbers are assigned to accounts according to an elementary growing scheme. And the berry on the cake - the API does not limit the number of calls, so you can endlessly download user data from servers. And this problem is still not resolved.
Attacks on camcorders
The public spaces of modern megalopolises are hung with cameras, like a Christmas tree with toys in a decent family. Moreover, the all-seeing eye not only receives a live picture, but also understands what is on it. Even in our country at the 2018 World Cup, the face recognition system accurately caught fans who were denied access to the stadium.
While in this way our life is deprived of any kind of privacy, it remains to wait for the attackers to pick up the keys to the "eyes" of video surveillance. And banal voyeurism will not be the only and not the main motivation of hackers to crack cameras. Often they are broken in order to create botnets used during DDoS attacks. In terms of size, such networks are often not inferior, or even surpass botnets from "ordinary" computers.
There are several reasons for the vulnerability of video cameras:
- too simple or outdated protection mechanism;
- standard passwords, often publicly available on the Internet;
- when connected to cameras via the cloud, client applications send data in unencrypted form;
- immutable master password from the manufacturer.
Often cameras attack using the man-in-the-middle method, integrating between the client and server. In this way, you can not only read and change messages, but also replace the video stream. Especially on systems where HTTPS is not supported.
For example, the camera line of one very famous manufacturer had firmware that allows you to change the camera settings using ordinary http-requests without authorization . With another vendor, the firmware of IP cameras allowed, also without authorization, to connect to the camera and receive an image in real time.
Do not forget about well-known vulnerabilities. For example, CNVD-2017-02776, penetrating through which into the camera, then using EternalBlue, you can access the user's computer. The EternalBlue exploit that exploits vulnerabilities in the SMB protocol is familiar to many: it was it that was used to spread the WannaCry ransomware in 2017 and during attacks by the Petya malware. EternalBlue was also included in Metasploit, it was used by the developers of the cryptocurrency miner Adylkuzz, the EternalRocks worm, the Uiwix ransomware, the Nitol Trojan (aka Backdoor.Nitol), the Gh0st RAT malware, etc.
Attacks on sockets and bulbs
It happens that misfortune comes from where you do not expect it. It would seem a trifle, light bulbs and sockets, what could be the benefit for attackers? As a joke, turn off the system unit until you click the Save button in your favorite computer game? Or turn off the light in the room where you are with the “smart” water closet?
However, the fact that light bulbs and sockets are on the same local network with other devices gives hackers a chance to get some pretty secret information. Let's say your home is lit by Philips Hue smart bulbs. This is a fairly common model. However, there was a gap in the Hue Bridge through which light bulbs communicate with each other. And there were cases when through this vulnerability attackers could remotely take control of lamp operation.
Recall that Philips Hue have access to the home network, where they “walk” packages with various confidential information. But how to fetch it out if the other components of our network are reliably protected?
Philips Hue ZigBee-controlled LED bulbs
Source Sho Hashimoto / Wikimedia
Hackers have done it this way. They made the bulb flicker with a frequency of over 60 Hz. A person does not notice this, but the device outside the building is able to recognize flicker sequences. Of course, you don’t “intend” a lot in this way, but to transfer any passwords or identifiers is enough. As a result, secret information was copied.
In addition, Philips did not take care of enhancing protection when communicating light bulbs with each other on a local network, limiting themselves only to the use of an encrypted wireless protocol. Because of this, attackers could launch a fake software update on the local network, which then spills over all the lamps. Thus, the worm will be able to connect the lamps to DDoS attacks.
Smart sockets are also susceptible to attacks. For example, in the Edimax model SP-1101W, only the username and password were used to protect the settings page, and the manufacturer did not offer to change the default data. This leads to suspicions that the same passwords were used on the vast majority of devices of this company (or are used to this day). Add to this the lack of encryption when exchanging data between the manufacturer’s server and the client application. This can lead to the attacker being able to read any messages or even take control of the device for, for example, connecting to DDoS attacks.
Smart TV Attacks
Another threat to the safety of our personal data lies in “smart” TVs. They now stand in almost every home. Moreover, the TV software is much more complicated than that of cameras or locks. Therefore, hackers have room to roam.
Let's say there is a webcam, a microphone, and also a web browser on smart TV, where would it be without it? How in this case can attackers harm? They can take advantage of banal phishing: built-in TV browsers are usually poorly protected, and you can slip fake pages to the user, collecting passwords, information about bank cards and other confidential data.
Another, literally, security hole is the good old USB. They downloaded the video or application on the computer, then stuck the USB flash drive into the TV - here's the infection.
Who may need to know what shows the user is watching and which sites he is visiting? Many to whom, in fact. Analysts of large corporations, consulting and advertising companies, for example. And this information costs decent money, so even manufacturers do not disdain to build applications in their products to collect your statistics.
The threat here is that the user data can go "to the left" and get to the attackers. For example, an apartment thief finds out that from 9 am to 6 pm no one is at home, as the owners of the TV have a steady habit of turning it on while at home. Accordingly, you need to disable in the settings the collection of unnecessary information and other activity logging.
And such bookmarks, as you know, are additional breaches for penetration. The story of Samsung TVs is known: users complained that the built-in voice recognition system allows you to monitor all their conversations . The manufacturer even indicated in the user agreement that the words spoken in the presence of the TV can be transferred to a third party.
Conclusions and recommendations for protection
As you can see, when creating a smart home system, you should be extremely attentive to the components and their vulnerabilities. All devices connected to the system are in one way or another at risk of hacking. The installers and administrators, as well as advanced users of such systems, can be advised of the following:
- carefully study all the features of the device: what it does, what permissions it has, what information it receives and sends - turn off all unnecessary;
- regularly update firmware and firmware;
- Use complex passwords wherever possible, enable two-factor authentication;
- to control smart gadgets and systems, use only those solutions that vendors offer themselves - this does not guarantee the absence of gaps, but at least reduces the likelihood of their occurrence;
- close all unused network ports, and protect open ones with standard authorization methods through standard operating system settings; login through the user interface, including with web access, must be secured using SSL;
- A smart device must be protected from physical access by outsiders.
For less experienced users, the recommendations are:
- do not trust the devices with which you control the “smart home” to strangers - if you have lost a smartphone or tablet, change all usernames, passwords, IDs and other things that can be extracted using a lost gadget;
- phishing does not snooze: as in the case of email and instant messengers, trust messages from strangers and obscure links less.