“Hackers are a resourceful bunch, and they’ll look for any weakness that can be exploited to break in to a computer network. Once they’re IN, they’ll use any available method to get the data they discover OUT.”
Forbes, July 27, 2017
There is a story from a couple of years back about a casino in Vegas that was hacked using this rather unique exploit. The casino had recently installed a new remote monitoring system for their fish tanks which allowed the temperature, salinity and food to all be controlled automatically. Since to be able to do that it had to be connected to the internet, it was a ripe target to be hacked – and promptly was.
The problem was not that the attackers might use the exploit to feed the fish too much food, but that the device was not isolated from the rest of the casino network. Using it as a doorway, the attackers stole 10GB of data from the casino’s computer systems, sending it offsite in a way that made it look like media streaming.
The story highlights the dangers of allowing weak and insecure devices onto an otherwise secure network.
Devices like these usually have minimal if no security attached to them. Once you are in, you can then use them to leapfrog onto the things you really want to get to. This is called a ‘man in the middle’ attack, where you hack something to indirectly get to something else. (For fans of Mr Robot, this is exactly what the lead character did to bring down the secure backup facility. By placing a small device onto the network, he was able to take down the facility’s heating system and thus destroy all the backups stored inside.)
In 2015, Hacker News revealed that millions of devices, including home routers, were using the same encryption keys hard-wired into the devices themselves. If you get those keys, then you don’t just hack one device, you can get at hundreds of thousands of them.
“When [they] scanned the Internet … the researchers found that at least 230 crypto keys are actively being used by more than 4 Million IoT devices.
Moreover, the researchers recovered around 150 HTTPS server certificates are used by 3.2 Million devices, along with 80 SSH host keys that are used by at least 900,000 devices.”
Hacker News, November 27, 2015
When we say to clients ‘you shouldn’t connect devices to your network without telling us’ we’re not trying to be difficult, we’re just aware that these things are vulnerable and that caution needs to be exercised.
IP Cameras have notoriously low levels of security. Network printers can be easily exploited, and often contain a password to your server and/or an email account for scanning. We always change the default passwords on these devices for this reason, though the push back we get sometimes from the print management company for doing so is hard to believe unless you genuinely don’t care about security.
Another good example is separating your phone system from your main network. VOIP phones are a great example of devices that communicate through the internet, and which as a result can be accessed and controlled from somewhere external – that’s how they ring when someone calls you!
It’s not particularly far-fetched that one of these phones, on your computer network, could be used to try to access your server.
Consider the payoff; an attacker trying to hack into one phone is very unlikely. But, an attack using a common exploit on millions of phones is something else. Like phishing emails, no one is targeting you specifically. They’re just throwing enough out there in the knowledge that at least some of them are going to generate a response. Combine this with an automated use of lists of common passwords tried on every computer on that same network, plus perhaps opening some ports on your router for the service to work, and before long you’re going to be able to get something out of it.
The moral of the story? Be careful what you connect to your network.
The IoT has all sorts of good things going for it, but it also has the potential to bring you a lot more trouble than you bargained for. Security is only as good as the weakest link, and if you do want to connect insecure devices there are ways to do it that do not compromise all the good security you have by placing a back door right in the middle of it.
Useful Links
Hacker News : https://thehackernews.com/2015/11/iot-device-crypto-keys.html
Video: The Wolf, feat. Christian Slater. “If you’re not taking your printer security seriously, someone else might be”: https://www.youtube.com/watch?v=U3QXMMV-Srs