After years of warnings from security experts, the inherent insecurity of IoT devices was exploited in mass fashion in a series of DDoS attacks during the fall of 2016. In the largest of these attacks, legions of malware-infected IoT devices were employed in an assault on US service provider Dyn, bringing down Twitter, Spotify, and a host of other services depending on Dyn. During the previous month, a similar assault had been made on security journalist Brian Krebs’ site.
Until the autumn attacks, and with some exceptions, IoT exploitation scenarios have been more discussion fodder than reality. Would a hacker take control of the office thermostat and demand a ransom payment to turn down the sweltering heat? Could the fridge in your break room be used as an entry point to invade your company network? What’s more attractive to miscreants: the device itself, or the server behind it where the data is stored?
The recent DDoS events will surely add resolve to the European Commission’s proposal to enact a product labeling system for IoT devices that are deemed “secure.” The idea is to make not only buyers mindful of security, but more importantly manufacturers, who are dismally lacking incentives to make their devices secure. Whether product labeling accomplishes this goal, however, remains to be seen.
Unfortunately, as exemplified by the recent case of a compromised digital video recorder (DVR) investigated by F-Secure Cyber Security Services, this incentive deficit is not limited to the makers of cheapo devices.
The case of the haunted DVR
The head of a venture capital investment firm had installed a high-end DVR (retailing at around $1000), as part of a multi-camera security system for homes and small offices. He integrated it with the rest of his security system according to the manual’s instructions and protected the device with a proper password.
One of his security cameras pointed toward his workspace and computer monitor. Two events alerted the exec to the possibility that his DVR had been compromised. For one thing, the box’s lights were actively blinking at times when it should have been quiet. And secondly, when he would try to invest in certain firms he was consistently getting outbid. He began to wonder if someone was getting an inside peek at his bids by viewing his computer monitor via the security cam footage.
Our CSS team’s investigation revealed that his suspicions were correct: the device had indeed been compromised. A vulnerability in the box had allowed a hacker to change the password remotely over the Internet, without knowing the existing password, and to download stored content from the device. Our investigation led us to Russian language forums where this particular vulnerability was being discussed.
Who hacked the DVR box, and why? We can’t say for certain; attribution is both difficult and dangerous. We also don’t know if the suspicious outbidding was a mere coincidence.
We reached out to the maker of the DVR box. When provided with details of this vulnerability, they were uninterested in taking steps to correct it. The particular model is no longer on the market, and a newer model exists – but that’s not to say the newer model doesn’t also have the same flaw.
Money can’t buy everything
The case illustrates that in today’s market dynamic, sadly, paying more doesn’t mean a product is more secure – it only means it has more features. While purchasers of high-end IoT products may consider themselves secure, such an expectation is only a myth.
Until connected things adequately address the security challenges they face, users would do well to consider the tradeoffs of their devices being online. In the case of a DVR, Internet connectivity allows the owner to view their premises remotely, through an app – but it also opens up the risk of the device getting owned and working at the behest of an attacker.
Do you own an IoT device in your corporate environment? Here’s a handy list of what both IoT manufacturers and owners of IoT devices can do to improve security.
This article was adapted from our recent report, The State of Cyber Security 2017. Read more about cyber security trends and topics when you download the full report here.
[fsecure-eloqua name=”F-Secure%20State%20of%20cyber%20security” url=”http://images.news.f-secure.com/Web/FSecure/%7Bd52f77ef-dd23-4871-ab9b-2ae794f4dadd%7D_F-Secure-Threat-Report-State_of_Cyber_Security_2017.pdf” description=”F-Secure%20State%20of%20cyber%20security”]