Kaspersky Lab: Several popular interconnected home entertainment devices can be a real threat to digital security due to software vulnerabilities, as well as a lack of basic security measures such as strong, default administrator passwords and encryption of the Internet connection.
David Jacoby, Kaspersky Lab security analyst, conducted a research experiment in his living room to see how securely his home is digital. For this purpose, he looked at various home entertainment devices (eg networked storage devices, Smart TV, router, blu-ray player etc.), which proved to be vulnerable to digital attacks.
Για το πείραμα, εξετάστηκαν δύο models συνδεδεμένων σε δίκτυο συσκευών αποθήκευσης από διαφορετικούς κατασκευαστές, μια Smart TV, ένας δορυφορικός δέκτης κι ένας διασυνδεδεμένος εκτυπωτής. Κατά την έρευνα, ο David Jacoby κατάφερε να βρει 14 ευπάθειες στις συσκευές αποθήκευσης, μια ευπάθεια στη Smart TV και διάφορες πιθανώς κρυφές λειτουργίες απομακρυσμένου ελέγχου στο router.
According to its policy of responsible disclosure Kaspersky Lab, the company does not disclose the names of the manufacturers whose products were part of the research until the patch covering the vulnerabilities is released. It is noted that all companies were informed of the existence of vulnerabilities. Also, its specialists Kaspersky Lab collaborate with product providers to eliminate the vulnerabilities they discover.
“Both individual users and businesses need to understand the security risks associated with connected devices. Also, we must always keep in mind that the information us are not safe just because we have imported a strong one code access, and that there are many things we cannot control. It took me less than 20 minutes to find and confirm extremely serious vulnerabilities on a seemingly secure device whose name itself implies security. How would a similar investigation turn out if it were conducted on a much larger scale than in my living room? This is just one of the many questions that must be answered by product manufacturers, the security industry and device users in the near future. The other important issue is the lifespan of the devices. Based on various discussions with manufacturers, it appears that some companies will not develop patch security for a susceptible device when its life cycle reaches its end. Typically, this cycle covers one or two years, and the actual life of the devices - for example, the connected storage devices - is much longer ", said David Jacoby.
Remote code execution and "weak" passwords: Οι πιο σοβαρές ευπάθειες εντοπίστηκαν στις συνδεδεμένες σε δίκτυο συσκευές αποθήκευσης. Αρκετές από αυτές θα επέτρεπαν σε έναν εισβολέα να εκτελέσει απομακρυσμένα εντολές, έχοντας μάλιστα τα υψηλότερα δυνατά προνόμια διαχείρισης ενός συστήματος. Επίσης, οι προεπιλεγμένοι κωδικοί πρόσβασης γι' αυτές τις συσκευές ήταν «αδύναμοι», πολλά από τα αρχεία ρυθμίσεων είχαν λάθη στις εξουσιοδοτήσεις, ενώ περιείχαν τους κωδικούς πρόσβασης σε μορφή απλού κειμένου. Ειδικότερα, ο προεπιλεγμένος κωδικός πρόσβασης διαχειριστή για μία από τις συσκευές περιείχε μόνο ένα ψηφίο. Μια άλλη συσκευή μοιραζόταν ακόμη και ολόκληρο το archive settings with encrypted passwords with all network users.
Using a separate vulnerability, the researcher was able to "upload" a file to an area of storage memory that is inaccessible to the average user. In the event that this file was malicious, the compromised storage device could become a source of "infection" for all the devices connected to it (eg PC), and even be used as DDoS bot on a malicious network. Additionally, as vulnerability allowed the file to "climb" to a specific portion of the device's file system, the only way to delete it was to use its own vulnerability. Obviously, this is not an easy task even for a specialist, let alone the average home entertainment equipment owner.
Man-in-the-Middle attacks through Smart TV: Examining the security level of her own Smart TV, her researcher Kaspersky Lab has discovered that encryption is not used in communication between the television and the television servers of the manufacturer. This is likely to pave the way for "Man-in-the-Middle" attacks, which could result in the user transferring money to cheats when trying to buy content through Smart TV. For the reason, the researcher was able to replace an icon interface of Smart TV with another image. Normally, widgets and thumbnails "get off" by them servers of the television manufacturer, but due to a lack of encrypted connection, the information could be modified by a third party. The researcher also discovered that "smart" TV can run code Java which - coupled with the possibility of interfering with the exchange of data between television and the Internet - could lead to malicious attacks based on vulnerabilities.
Hidden Spy Functions at router: The DSL which provided wireless σύνδεση στο Διαδίκτυο σε όλες τις υπόλοιπες οικιακές συσκευές, περιλάμβανε διάφορα επικίνδυνα χαρακτηριστικά που ήταν κρυφά από τον ιδιοκτήτη του. Σύμφωνα με τον ερευνητή, μερικές από αυτές τις κρυφές λειτουργίες θα μπορούσαν να προσφέρουν στον Πάροχο Διαδικτυακών Υπηρεσιών (ISP) απομακρυσμένη πρόσβαση σε κάθε συσκευή που βρίσκεται εντός ενός ιδιωτικού δικτύου. Πιο σημαντικό από αυτό, όμως, είναι το γεγονός ότι ο ιδιοκτήτης της συσκευής δεν μπορεί να δει ή να προσαρμόσει μέρη του web interface of router with the names "Website Cameras "," Telephony Expert Configure "," Access Control "," WAN-Sensing "and" Update ", as the survey showed. Access to these parts was made possible only by exploiting a vulnerability that allowed you to navigate through various parts of the interface (in fact, they are websites, each of which has an alphanumeric address).
Initially, these features were implemented to provide greater convenience to the device owner: remote access ISP to quickly and easily solve possible technical problems with the device. However, this convenience can be compromised if the check falls into the wrong hands.
How to Stay Safe in the World of Interconnected Devices
- Install the latest security updates on all your devices firmware. This will minimize the risks of exploiting known vulnerabilities.
- Ensure that the default username and Password have changed, as these are the first elements an attacker will look upon when trying to break a device.
- Most household routers and switches offer the option to set up your network for each device and at the same time restrict access to it. For example, if you have a TV, you may want to restrict access to it and allow it to access a specific resource on your network. There is no special reason to have the printer connected to your TV.
The full research report, entitled "Internet of Things: How I Hacked My Home", is available at Securelist.com.
