In this article we will discuss about How Hackers Violate Privacy and Security of the Smart Home.
Technology is invading our living room
The rapid growth of the Internet of Things paradigm significantly affects our concept of “home”. Modern homes are full of smart devices and the new generation of smart appliances promises to make our lives easier and more pleasant, but we cannot underestimate the risk of cyber attacks.
Home automation solutions are flooding the market, but these devices in most cases lack security; security experts recognize that smart cameras and meters are easy targets for hackers.
In early 2015, experts from security firm Synack analyzed 16 home automation devices ranging from cameras to home automation controllers to thermostats. Unfortunately, the results of the tests are disturbing, the researchers managed to hack almost every appliance.
“Really, the state of security in these things right now is pretty appalling,” said Colby Moore, a security research engineer at Synack.
Experts played out different attack scenarios simulating different situations that could expose our lives to hacker attacks, including implanting nasty things before products leave the factory and hijacking mobile apps designed by manufacturers to control them remotely.
By exploiting vulnerabilities in home automation devices, attackers can gather information about targets, compromise their privacy and security, and understand their behavior and patterns.
According to the findings of the Synack study, connected cameras are the automotive devices with the most security vulnerabilities. Synack found that the smart devices tested do not encrypt data and do not implement weak passwords. All connected thermostats examined were affected by serious security issues that could be exploited to control them; even home automation centers have a number of drawbacks.
The main problem when working with IoT devices is that manufacturers do not have a strong background in cyber security. It is not easy for manufacturers to design smart objects that could be used in such different scenarios.
“A lot of these device manufacturers are just not security people and really just don’t have security people on staff, especially when it comes to IoT startups,” Moore said. “What they’re doing is phenomenal with all these new uses for technology. But security is not for everyone. Now it’s a ship and a band-aid for later mentality.”
“There is no industry standard and no way to tell if a product is safe or not if you’re an average Joe. That’s a big issue and it’s an issue that the industry needs to address and think about,” Moore said.
Hacker on the doorstep
A recent study by security firm Veracode, titled “The Internet of Things: A Security Research Study,” analyzed IoT home devices and revealed that they expose users to a wide range of threats, including data theft and sabotage.
The devices analyzed in the study have a significant ability to interact with the physical environment (e.g. hardware sensors) and peer devices; for this reason, a cyber attack could lead to a physical disruption of the smart home where they are deployed.
Experts analyzed six home IoT devices with the current firmware version and performed a set of uniform tests. The tests are focused on four different domains: user-facing cloud services, back-end cloud services, mobile application interfaces, and device debugging interfaces.
The six home IoT devices analyzed by Veracode experts are:
- Chamberlain MyQ Internet Gateway: Internet remote garage door control.
- Chamberlain MyQ Garage: Internet-based remote control of garage doors, interior switches and electrical outlets.
- SmartThings Hub: Central control device for home automation sensors, switches and door locks.
- Ubi: The Unified Computer Intelligence Corporation makes this always-on, voice-activated device for answering questions, controlling home automation, and performing tasks like sending emails and text messages.
- Wink Hub: Central control device for home automation products.
- Wink Relay: Combination hub and control device for sensors and home automation products.
- Researchers have discovered a number of released security measures that affect all devices, including authentication and arbitrary code execution errors that could be exploited to gain complete control over devices.
Exploiting the bug allowed the researchers to control the garage door and gather information related to the presence of people in the home. This information exposes the user to the risk of robbery.
Exploiting data managed from Ubi could allow attackers to gather vast amounts of information about a user’s habits, which can facilitate a robbery or even stalking.
Hacking a Ubi or Wink Relay device could lead to a serious breach of user privacy, as it could allow attackers to control microphones in the home environment.
We will now analyze in detail other common smart objects present in modern homes and find out why the lack of security by design could harm our security and privacy.
Smart TV, smart meters, smart fridge… Open door to hackers
Modern homes are full of connected devices; smart TVs, smart meters and refrigerators collect vast amounts of information about our behavior and in many cases this information is transmitted to remote servers without the user’s knowledge.
In 2013, researcher Malik Mesellem proved that smart TV hacking is a real threat, we used for his test Samsung models, which he forced to restart by sending a specially crafted HTTP GET request.
In a specific case, researchers proved the feasibility of a DoS attack, but it was only the beginning, because in recent months experts have revealed security problems that could change the entry point of smart TVs for hackers in our homes.
A year later, in February 2014, researchers at ReVuln showed how to exploit the latest firmware update for Philips smart TVs to steal cookies and other sensitive user data.
The hack was very insidious: it took a few seconds to execute and was undetectable by victims.
Attackers who connected to a Miracast-enabled Wi-Fi network could browse and download any files that might be contained on USB drives connected to a Philips smart TV. ReVuln researchers also demonstrated that it was possible to steal browser cookies, which contain sensitive information and are in some cases used by many web services for authentication purposes.
Researchers at ReVuln have released a video showing how an attacker can easily steal authentication cookies for an existing Gmail account from a Philips smart TV, as well as user data from a USB drive connected to the device.
Attacks on smart TVs are evolving, and this class of smart devices is being abused to hack systems inside a home network and exfiltrate user data.
Things don’t get any better in 2015: Security researchers have discovered that a Samsung smart TV is sending unencrypted voice recognition data and text information over the Internet without encrypting it, allowing hackers to intercept it.
A hacker might be able to spy on a user using the features of a modern smart TV and access their home LAN this way. Such bugs and implementations also open the door to surveillance activities that could be conducted by persistent attackers (eg, intelligence agencies) who could access user traffic directly from ISPs or through access to Internet backbone networks.
While the TV reminds us of its presence with its footprint, the abundance of other small-sized smart objects in our homes can still pose a serious threat to the security of our homes. Smart meters, smart light bulbs and smart thermostats could allow hackers to break into our home networks and put our privacy and sometimes our lives at risk.
Consider, for example, smart meters. Last year, researchers Javier Vazquez Vidal and Alberto Garcia Illera discovered millions of electricity meters connected to the grid that were vulnerable to cyber attacks due to a lack of proper security controls.
In Spain, there are three main energy companies, Endesa, E.ON and Iberdrola, and the number of installed smart meters is almost 8 million, corresponding to almost 30 percent of households.
Bad actors accessing smart meters could cause power outages or conduct fraudulent activities, including billing fraud. The researchers explained that poorly protected credentials stored on devices provided by one of the companies could allow attackers to gain access to smart meters; during session tests, they were able to take full control of any device and modify its unique ID to impersonate another customer.
Researchers have discovered a bug that affects code running on smart meters. This vulnerability could be exploited remotely to shut down energy supplies to individual households, access meter readings, transmit meter readings to other customers, and also plant “network worms” that could cause serious problems to the entire network.
Experts explained that the smart meters deployed by the Spanish energy company use AES-128 encryption to protect data, but this encryption algorithm is not invulnerable to a brute-force attack.
They were also able to use the smart meter to attack the power grid. For obvious reasons, the researchers also avoided releasing the name of the smart meter manufacturer; the Spanish energy company that deployed smart meters immediately started the necessary measures to mitigate the risks and improve the security of the equipment.
The attack scenario is worrisome because a threat actor could carry out a large-scale attack and shut down the entire country by hacking the smart meter network.
“OH Wait? Are we going to make it? We were really scared,” said Vazquez Vidal, “we started thinking about what impact it could have. What happens if someone wants to attack the whole country?” he said.
Let’s move on: What do you think about hacking a smart thermostat?
In early 2015, security experts at TrapX Security demonstrated how to hack an internet-connected thermostat made by Nest, a company controlled by Google. As explained several times, the IoT devices in our home are equivalent to an open door for hackers, in a specific case experts hacked the Nest thermostat and managed to hack other devices sharing the same home network.
Implementing the hack is not easy because the chain of attacks starts with physical access to the device. TrapX’s experts built on research published several years ago by a group of researchers from the University of Central Florida, led by engineering professor Yier Jin. The group jailbroken the Linux operating system running on the Nest thermostat by accessing it through a USB port.
They then uploaded their own firmware to the thermostat that would prevent data from the thermostat from being sent back to the Nest servers. “The problem is the way the hardware is built,” Jin said in a phone interview Thursday. “That’s why after we released this hack almost a year ago, there’s still no fix. Nest can’t fix it.”
The experts at TrapX were also able to upload their software to the Nest ARM7 processor chip, a procedure that allowed them to access various information managed by the thermostat, including the Wi-Fi password for the local network and data related to the presence of users. home.
The experts found that the network traffic generated by the Nest device was not encrypted. Using ARP, the researchers forced other devices on the same network to exchange data with the compromised Nest device. They were able to use the device as an entry point into the host network; with it, they were able to locate other appliances, including a baby monitor, and hack them.
“In testing, TrapX was able to get through a compromised thermostat to take advantage of known software vulnerabilities found in devices such as baby monitors and even PCs with older, unpatched operating systems to gain control,” Forbes said in a blog post.
“Once we’re inside the network, it’s pretty trivial to escalate,” said Carl Wright, executive vice president and general manager of TrapX. “There are a lot of devices in the home that we are able to jump from and compromise.”
Despite the fact that there is no evidence that a Nest device has ever been compromised in the wild, the case presented re-emphasizes the need for security by design for IoT devices.
The surprises don’t end here: Do you know smart light bulbs?
These components of the modern home can also be used to enter our everyday life.
Last year, experts from Context Information Security discovered a security flaw in LIFX smart LED bulbs.
Wi-Fi enabled bulbs can be controlled remotely using mobile devices. By exploiting the flaw, an attacker was able to gain access to the main light bulb and control every other connected light bulb in the house, revealing user network configurations.
The LIFX architecture is based on an interconnected network; requires only one bulb to be connected to Wi-Fi at a time. Context Information Security experts were able to analyze mesh network traffic and identify packets used to share an encrypted network configuration between bulbs in the network.
Once the traffic was identified, the researchers injected packets without any authentication into the mesh network interfering with the bulbs.
The company promptly identified the vulnerability with the support of the experts at Context Information Security and released a firmware update to fix it.
Figure 5 – Smart Light Bulbs
“It should be noted, since this attack works on the 802.15.4 6LoWPAN wireless mesh network, an attacker would need to be within wireless range, ~30 meters, of a vulnerable LIFX bulb to perform this attack, severely limiting the practicality for exploitation on a large scale,” states the official blog post of Context.
Curious eyes in our homes
We will conclude our short tour by introducing another category of smart devices that has recently sparked a heated debate about the security of IoT devices in our homes, baby monitors.
Security researchers at Rapid7 have discovered major security flaws in popular network video surveillance cameras that could allow attackers to spy on babies and families.
Rapid7 analyzed baby monitors from six vendors ranging in price from $55 to $260 to evaluate their overall safety. The list of baby monitors analyzed includes the Philips In.Sight B120/37, iBaby M3S and M6 models, Summer Infant Baby Zoom, TrendNet Wi-Fi Baby Cam, Lens Peek-a-View and Gynoii devices.
“I really wanted to see if the higher priced cameras [of the range] were more secure or less secure,” he explained.
The detected shortcomings of the nanny represent a serious threat to the privacy of families. Baby monitors are smart devices, always online and equipped with a camera and microphone, all the necessary equipment for spying on the surrounding environment.
The researchers discovered a number of security issues, such as a hard-coded backdoor credentials, a privilege escalation flaw in one of the nannies, an authentication bypass flaw in another, a direct browsing flaw in another, an information leakage flaw in another, and a reflection flaw, a stored cross-site scripting flaw (XSS) in another.
Baby monitors are mistaken for safe and harmful devices by families who completely ignore the risks of a cyber attack, and hackers could exploit the lack of security of these devices to become an entry point into the home environment.
“It’s a security device that seems harmless and friendly,” explained Stanislav.
Rapid7 researchers found no evidence of mass use of baby monitors, although none of them have been repaired.
The Philips Electronics B120E/37 Audio/Video In.Sight Wireless HD Baby Monitor was affected by three vulnerabilities, hard-coded credentials, reflected and stored XSS in a cloud web service, and a bug in the remote monitoring feature.
An attacker can exploit the flaws to access the device and open a video stream without authentication.
“It exposes the entire camera web application server on the network,” explained Stanislav. “If you connect to a device and you’re not the person who initiated the connection and you have permission to view it, you shouldn’t be able to view it,” he says. “The beauty of Vuln is that it requires no authentication,” he says.
Philips immediately responded to the message by providing a timeline for repairs; the company added that the Philips device is now managed by Gibson Innovations. Patches are expected to be released by September 4th.
“As part of our responsible disclosure policy and processes, Philips has been in contact with both Gibson Innovations and the security research firm investigating this issue to quickly and transparently address known and potential vulnerabilities in Philips products,” a Philips spokesperson said.
Another disturbing aspect of the story is that it’s very easy to discover baby monitors and other IoT devices online using Shodan’s search engine for Internet-connected devices.
The following table lists the vulnerabilities discovered by researchers:
|CVE-2015-2886||Remote||R7-2015-11.1||Predictable Information Leak||iBaby M6|
|CVE-2015-2887||Local Net, Device||R7-2015-11.2||Backdoor Credentials||iBaby M3S|
|CVE-2015-2882||Local Net, Device||R7-2015-12.1||Backdoor Credentials||Philips In.Sight B120/37|
|CVE-2015-2883||Remote||R7-2015-12.2||Reflective, Stored XSS||Philips In.Sight B120/37|
|CVE-2015-2884||Remote||R7-2015-12.3||Direct Browsing||Philips In.Sight B120/37|
|CVE-2015-2888||Remote||R7-2015-13.1||Authentication Bypass||Summer Baby Zoom Wi-Fi Monitor & Internet Viewing System|
|CVE-2015-2889||Remote||R7-2015-13.2||Privilege Escalation||Summer Baby Zoom Wi-Fi Monitor & Internet Viewing System|
|CVE-2015-2885||Local Net, Device||R7-2015-14||Backdoor Credentials||Lens Peek-a-View|
|CVE-2015-2881||Local Net||R7-2015-15||Backdoor Credentials||Gynoii|
The problem is not new and is extended to common IP cameras used for home surveillance.
In early 2014, a bug in the software that powers a wide range of webcams, IP cameras and baby monitors made by Chinese giant Foscam allowed the connected device to be accessed and live and recorded video viewed.
In 2012, a group of researchers revealed that a large number of IP cameras manufactured by TRENDnet were affected by a similar bug.
Under these circumstances, instructions for accessing IP cameras around the world were available online; a number of websites have posted links to the hacked resources.
Another website began posting nudity captured by hacked cameras; screenshots were taken and posted on 4chan.
A hacker can easily find the IP address of a misconfigured IP camera and hack it once the necessary model information is gathered. Specialized search engines such as SHODAN make research easy and can be used by hackers to identify faulty IP cameras.
I have listed just a few examples of IoT that can easily be found in modern homes. In many cases, these smart devices are misconfigured and lack security, opening up the home network to cyber intruders.
We cannot forget that IoT devices are always connected to the Internet, and for this reason, hackers can easily find and exploit them using search engines such as SHODAN.
It is strange to think that users are buying IoT devices to make their home more convenient and secure, but instead they are opening their home doors to fraudsters and hackers.