Looking For Vulnerable IoT Devices

Uploaded on 2020-05-05 in TECHNOLOGY--Developments, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY-Key Areas-Internet of Things

If you keep tabs on major vulnerability discovery reports or stay tuned for security researchers’ new findings unearthed at popular conferences such as Black Hat or Defcon, it may seem that everything is online and easily hackable these days. Moreover, analysts often emphasize that it doesn’t take advanced skills or special high-end gear to execute such a compromise. Let’s try to figure out if this is true.
 
A Plethora Of Potential Targets

According to Statista, the size of the IoT market reached $330 billion in 2019. The total number of internet-facing smart devices is expected to exceed 38 billion in 2020 and will double by 2025. Furthermore, researchers claim the number is going to jump to about 125 billion by 2030.
 
It appears that the global production volume is likely to live up to the predictions. The current jaw-dropping IoT growth is mostly attributed to the releases of inexpensive Chinese smart devices.

Unfortunately, security is hardly ever the first priority of their manufacturers.
 
Numerous mainstream components of connected homes and even smart security systems are notoriously unsafe to use due to gaping loopholes in their firmware and feature implementation. Some of these flaws apply to entire ranges of such IoT appliances rather than a single series of devices made by a vendor that doesn’t take security seriously. The imperfections often stem from the following flagrant, large-scale violations of secure development fundamentals.  

  • The use of hard-coded and obfuscated default admin credentials.
  • Massive reuse of easy-to-guess access keys and PINs.
  • Lack of access control techniques for verifying users as they query a common settings page (for instance, accessing /settings.asp while bypassing /index/html) or directly request images and video stream from a video surveillance camera (such as /axis-cgi/jpg.image.cgi).
  • Crude data processing implementation that leads to a buffer overflow. This can be a launchpad for arbitrary code execution after receiving a malicious TCP packet.
  • The option of configuring a server to use old protocol versions based on a request from the client device (“I’m an obsolete chunk of metal, so let’s play simple”).
  • A slew of other common flaws and instances of deliberately loosening the security measures for the sake of user experience and easy customization, including remote tweaks of the settings without proper authentication. 

Ways Of Searching For Vulnerable Connected Devices
 
Security experts have masterminded plenty of algorithms to pinpoint easy-to-compromise devices. The opportunistic creators of botnets, in their turn, have already weaponized the most effective ones. On a side note, if botnet authors heavily use a specific vulnerability, it means that this flaw is perfectly “suitable” for massive real-world exploitation.
 
When scouring the Internet of Things for weak links, some black hats focus on vulnerabilities in firmware, including bugs discovered through reverse-engineering of its code. The other tactic is to narrow the search down to the vendor name – a simple MAC address lookup can reveal this information (specifically, its first three octets say it all). Some attackers use the OS build criterion – most devices broadcast it in regular network response to search engine crawlers.
 
In any of the above scenarios, a white hat or black hat needs some distinctive characteristic of a vulnerable device. A few of these hallmarks will make the search yet more effective and accurate.

Here is a “classic” process of spotting unsecured IoT devices.
 
The starting point is to query a vulnerability database, such as MITRE or Rapid7, for known loopholes in specific IoT objects. The following types of vulnerabilities tend to yield the best results in terms of exploitation:  

  • Flaws discovered after the manufacturer ended support of the device and stopped releasing patches.
  • Recent imperfections that haven’t been patched yet. Even if a bug fix is already available, it takes some users quite a while to install the update.
  • Loopholes in software architecture that cannot be fully addressed through patches and hardly ever vanish from the radar completely. For instance, this is the case with the multi-pronged Meltdown and Spectre vulnerabilities that are still making themselves felt in the security ecosystem.
  • Overarching bugs that affect a number of different models or types of devices due to a shared web interface component or communication protocol flaw.  

The next step is to do your homework and examine the details about the vulnerabilities you found and the devices they apply to. Peruse all the documentation in search of unique features and fragments of shoddy code. At this point, your goal is to single out the characteristics that make the target device stand out from the crowd of similar ones. An example is a specific OS version string in the network response from the device or an uncommon open port it may be using.
 
Now you need to create advanced search queries for Google (sometimes called Google Dorks) and the popular IoT search engines, including:  

To keep wannabe hackers at bay, I will omit IP addresses of vulnerable systems as well as some details and queries that allow finding low-hanging fruit in a single click of a mouse. With that said, though, the clues are in plain sight.

All it takes to find them is scrutinizing a vulnerability description and adding a couple of search filters.
 
By the way, Shodan and Censys have some mechanisms in place to fend off ill-minded researchers. They prevent unregistered users from viewing more than a few top search results, restrict the number of daily queries, and don’t allow potential black hats to refine their searches. These are effective countermeasures because the most verbose results typically go after the top hundred entries or further.
 
Some analysts leverage scripts to facilitate their search for IoT devices that meet certain criteria. It’s worth mentioning that both readily available and custom scripts can only be executed by registered users of Shodan and Censys.
 
Next, verify the targets listed in the search results and filter the search via extra queries where necessary. The need for additional filtering is almost always the case and therefore scripts come in handy to parse the results.
 
It’s usually no big deal to come up with the toolkit for connecting to the discovered IoT devices. The ordinary web browser will do the trick in most cases. To maintain remote control of video surveillance cameras and DVRs, you may need to install a legacy version of Java Runtime Environment (JRE) along with a specific video codec. In some scenarios, you will need Telnet and SSH clients to interact with the device. Tools such as Cisco Smart Install Client may sometimes be required, too.
 
Depending on how far you plan on going with the exploitation, the next stage is to amass statistics or try to establish a test connection and modify some settings. The latter is a slippery slope – one of the reasons is that you run the risk of being ambushed in a honeypot. Furthermore, law enforcement agencies are getting better at investigating cybercrime and chasing down malicious actors, so you don’t want your research to end up in their spotlight.
 
The Bottom Line
 
Although the internet of things is full of vulnerabilities, exploiting many of them is easier said than done. To harness some of these flaws, you need to be physically close to the target local network.

Timely firmware updates with critical security patches onboard may prevent attackers from piggybacking on the other known flaws.

Nevertheless, most vendors take their time releasing such fixes and they often admit this sluggishness.
 
It takes a good deal of effort to compile a list of IoT devices that are susceptible to different vectors of compromise. The vast majority of search results generated by the likes of Shodan have nothing to do with easily hackable devices. The reason why a bevy of entries is returned is that the network response of many connected things partially matches the queries of analysts or enthusiasts searching for targets that meet their criteria.
 
To get the big picture regarding the prevalence of potential targets for botnets, you need to go through an in-depth analysis of the search results and quite a bit of trial and error with the checks whose importance is usually underestimated. 

About The Author: David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.

You Might Also Read:

IoT - Pandemics, Opportunities And Massive Data Risks:

Microsoft Say The IoT Is Under Attack:

 

 

 

 

« Britain Cracks Down On Corona Crime
Remote Working Is Transforming The Security Landscape »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA) is a non-profit organization dedicated to leading a diversified research agenda in the field of cyber conflict.

Cleo

Cleo

Cleo is a leader in secure information integration, enabling both ease and excellence in business data movement and orchestration.

Trend Micro

Trend Micro

Trend Micro is a leader in hybrid cloud, endpoint, and network security solutions.

OneLogin

OneLogin

OneLogin simplifies identity management with secure, one-click access,for employees, customers and partners, through all device types, to all enterprise cloud and on-premise applications.

National Cyber Security Centre (NCSC) - United Kingdom

National Cyber Security Centre (NCSC) - United Kingdom

The NCSC acts as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security, including the management of cyber security incidents.

Performanta

Performanta

Performanta offer a consultative approach to people, process and technology, focusing on security projects in line with adversarial, accidental and environmental business risk.

Airbus Cybersecurity

Airbus Cybersecurity

Airbus CyberSecurity is a European specialist in cyber security. Our mission is to protect governments, military and critical national infrastructure enterprises from cyber threats.

Nexusguard

Nexusguard

Nexusguard is at the forefront of the fight against malicious Internet attacks, protecting organizations worldwide from threats to their websites, services, and reputations.

MACH37

MACH37

MACH37 is a market-centric cybersecurity accelerator program designed to facilitate the creation of the next generation of cybersecurity product companies.

Hivint

Hivint

Hivint is a new kind of Information Security professional services company enabling collaboration between our clients to reduce unnecessary security spend.

Centro de Gestion de Incidentes Informaticos (CGII)

Centro de Gestion de Incidentes Informaticos (CGII)

CGII is the Computer Incident Management Center of the State of Bolivia.

SenseOn

SenseOn

SenseOn’s multiple threat-detection senses work together to detect malicious activity across an organisation’s entire digital estate, covering the gaps that single point solutions create.

Elemental Cyber Security

Elemental Cyber Security

Elemental is a game changing cyber security compliance automation and enforcement technology provider.

Trisul Network Analytics

Trisul Network Analytics

Trisul helps organizations deploy full spectrum deep network monitoring which can serve as a single source of truth for performance monitoring, security analytics, threat detection and compliance.

Enzen

Enzen

Enzen is a global knowledge practice that provides consulting, technology, engineering, operating and innovation services to the energy and utility sectors.

American Binary

American Binary

American Binary is a Quantum Safe Networking (TM) and post-quantum encryption company.