The bulk of major corporate hacks follow time-tested strategies, like phishing emails that trick employees into giving up their credentials, or hackers exploiting a bug in a web portal. While effective, these strategies also open an attacker to early detection. So increasingly, hackers have taken the scenic route—through the Internet of Things.
Vulnerabilities in internet-connected devices are well-documented by this point, but the most common exploitations generally involve conscripting thousands of vulnerable IoT devices into botnets, or getting onto a network through a weak IoT device for ransomware attacks. These aren’t using data-stealing missions. But researchers from the IoT security firm Senrio have shown that a company’s publicly exposed IoT devices can form an unsupervised backroad path into networks. Attackers can jump from one vulnerable IoT device to the next, totally bypassing mainstream devices like PCs and servers, and charting a course that’s much harder to detect.
“We were seeking to answer the question ‘why does one device matter?’” says M. Carlton, Senrio’s vice president of research. “An attack like this shows why it’s important to know what’s really on your network. These devices are all connected to each other and can create a hole in the network. It would be very difficult to catch this.”
Internet of Hacks
Many, many IoT gadget characteristics make them risky to deploy. Manufacturers tend to patch vulnerabilities slowly, if at all. Each model of each device is a special snowflake, running inscrutable, proprietary code and making it difficult to create one-size-fits-all security scanning tools. Meanwhile, large institutions and industrial environments already struggle to prioritize PC and server patching; finding and cataloging IoT devices and hustling to apply every update quickly becomes unwieldy. So the devices sit out there, connected to the open internet with little oversight and few protections.
‘It would be very difficult to catch this.’
M. Carlson, Senrio
“If you have an organization with 5,000 connected cameras, which for a large company that’s pretty standard, then now you have to have someone in the organization following that vendor’s RSS or their mailing list just to even know the devices are vulnerable,” says Senrio founder and chief technical officer Stephen Ridley. “And then you have to incur this operational cost to update all of them, which in some cases might be a dude with a thumb drive climbing up a pole and updating each camera.”
Senrio’s attack, which the company will present at the RSA conference Thursday, focuses on exploiting publicly known flaws—for which patches are available—in two devices and then jumping onto a third. The company discovered and disclosed the two vulnerabilities, one in an IP security camera and one in a router, and has tracked them closely. Using tools like Shodan, which scans for IoT devices that are sitting on the public internet, the Senrio researchers have seen meaningful patch adoption for the bugs, a heartening sign. Still, the researchers have observed tens of thousands still vulnerable devices—which is what makes their attack chain so ominous. A sophisticated hacker might pull off the same type of IoT attack using undisclosed, unpatched vulnerabilities that they invested resources to find or buy. But anyone can capitalize on long-known vulnerabilities at virtually no cost.
A Rube Goldberg Attack
The Senrio attack starts by targeting a security camera that is still vulnerable to an inveterate IoT bug the researchers disclosed in July, know as Devil’s Ivy. Using an unpatched Axis M3004-V network camera as an example, an attacker would find a target exposed on the public internet to start the attack, and then use the Devil’s Ivy exploit to factory reset the camera and take over root access, giving them full control over it.
Once the attacker has taken over the camera, they can view the feed. In the scenario the Senrio researchers imagine, this IP camera has been rightly cordoned off from the rest of the network, able to communicate only with a router. Even with that well-intentioned stab at segmentation, the attacker can simply springboard from the camera to attack the router next.
With a compromised camera, the attacker can find out the router’s IP address and its model number tohelp determine whether it has any vulnerabilities. In Senrio’s attack, the router is a TP-Link TL-WR841N that’s still vulnerable to a custom code-execution vulnerability Senrio disclosed in June. The Senrio researchers use a tool for cracking hashed data, known as a rainbow table, to recover the router’s credentials. From there, the attacker can gain remote code execution on the router, and prompt it to “phone home” for more instructions from the hacker, who responds with code that essentially instructs the router to execute commands. All of which, again, has been brokered through a webcam.
‘It’s all laughs until that thermostat connects to a power plant or an embassy.’
Ang Cui, Red Balloon
Once the attacker can control the router and change network rules at will, it’s time to look for some valuable data. Since an attacker would have access to the live video feed coming from the IP camera, they could watch, say, a corporate building’s front door from inside, showing the entryway from behind the front desk. Even if the feed is too blurry for an attacker to read what’s on a receptionist’s screen, they can still analyze the employee’s keystrokes as they type—and perhaps make out general shapes on the screen to determine what services they are accessing—and begin to pull out credentials. Exploiting an IP camera not only gives an attacker a toehold on a network, it also gives them a literal video feed inside the company.
In Senrio’s specific example, the attackers want credentials for network-attached storage unit—a dead-storage fileserver that a group of people can access. Since NAS units tend to be purpose-built for data storage, and don’t have the full functionality of a regular server, they act essentially as another IoT device. In Senrio’s scenario, the hackers use the stolen NAS credentials to access it legitimately, and find that it contains employee names, personal data like Social Security numbers and salaries, and company financial data like sales figures.
The question now is how to exfiltrate it. The IP camera can’t connect to the NAS directly, because of the company’s segmentation efforts. But the attackers can leverage their control of the router, telling it to forward commands from the IP camera to the NAS. The router would channel data from the NAS back through a slightly unusual encrypted network tunnel that wouldn’t normally exist, but since all traffic is expected to go through routers anyway, the researchers say that this behavior is unlikely to arouse suspicion. At this point, the camera can go through the router to request data from the NAS, and the NAS will respond, funneling corporate information out through the chain to be copied onto the attacker’s computer.
Chain of Attack
Though the attack requires elaborate planning, it only takes basic work in the Linux command line to carry out, as Senrio’s Carlton demonstrated in front of me live last week. Carlton notes, too, that attacks like these can increasingly be automated, or turned into point-and-click sequences through services like Metasploit, which catalogue the exploits available for different vulnerabilities.
“Rube Goldberg-style IoT exploitation is not only possible, it is actually getting easier these days,” echoes Ang Cui, an embedded device security researcher who founded the IoT defense firm Red Balloon. “Much of IoT exploitation was unexplored 10 to 15 years ago, and it took effort. Today, the world’s embedded exploitation toolbox is getting fuller faster. We’re looking at a fitness tracker hacking a smart speaker, a smart speaker hacking a thermostat, and the thermostat hacking the rest of the network. It’s all laughs until that thermostat connects to a power plant or an embassy.”
By publicly demonstrating an example of a chained attack, the Senrio researchers hope to raise awareness about the urgency of addressing the IoT security crisis. Though these types of attacks have been possible, and presumably carried out, for a long time, they no longer require particular sophistication. Network attacks that only impact IoT devices and never touch traditional PCs and servers are becoming more common. “It’s important because this really is a blind spot,” Carlton says. “It leaves a lot of companies exposed.”