Geekly Articles each Day
📜 ⬆️ ⬇️

“Smart” home in terms of vulnerability: dealing with vectors and attack mechanics


While visionaries of various sizes, authors of anti-utopic films and high-tech TV series and other inventors and alarmists paint different degrees of credibility about the uprising of smart devices or the use of smart home as a murder or terrorism tool, cybersecurity experts and hackers are entering a new line of contact . And we are talking about real and already (relatively) massively used devices, real vulnerabilities in them and real, tried and tested ways to use these vulnerabilities for unkind purposes. That's why and how.

A couple of years ago, the University of Michigan conducted a study of a model “smart” home, during which 18 different devices were installed and connected to the Internet: a bed, lamps, locks, a TV, a coffee maker, a toothbrush, and so on. One of the main objectives of the study was to identify the main vulnerabilities of intelligent home control systems. In particular, they tested the products of the company with the talking name SmartThings.
After conducting many disparate attacks on the devices of this “smart” home, experts have fixed two main types of vulnerabilities: excessive permissions and unsafe messages.

In terms of redundant permissions or rights, quite strange and unacceptable things have come to light: about half of the installed applications have access to much more data and capabilities than is necessary. In addition, when interacting with physical devices, applications exchanged messages containing confidential information.

Thus, the application to control the level of charge of the automatic lock also received a PIN code to unlock it. The software of some smart devices generated messages similar to real signals from physical devices. Such an approach gave attackers the opportunity to transmit false information to the network. As a result, the user, for example, could be sure that the door was locked, but it was actually open. This approach gave attackers the opportunity to send false information to the network. As a result, the user, for example, could be sure that the door is locked, and it is actually open.
')
In addition to redundant permissions and unsafe messages, another significant problem emerged - the transfer of confidential information to the servers of companies engaged in technical support for these devices. That is, the gadgets "watched" their masters, every minute sending information about their interactions with devices to the server. With this information, you can restore the exact daily routine of residents - when they woke up, brushed their teeth, how many and what television channels they watched. For two months of researching that “smart” home in digital broadcasting, there was not a single minute of silence. By the way, most of all "fonila" data transfer loudspeaker Amazon Echo, which is quite symbolic.

Not without the classics in the field of information security - backdoors. Often, developers leave for themselves a “back door”, which allows you to get full access or control over the device. Manufacturers are justified by the need to provide technical support to users, but such creation of such intentionally created vulnerabilities is contrary to information protection practices and is the most real vulnerability. The fact that virtually all software vendors are sinning with this is confirmed by the following fact: at the Hope X conference, IT security expert Jonathan Zdziarski announced the presence of a backdoor in the iOS operating system, which Apple itself recognized, but called it a "diagnostic tool ".

It is obvious that many, if not all, manufacturers and components of a “smart” home leave for themselves a “back door”. Consequently, this is a potential security hole in the entire "smart" home, to which any device the attacker has the potential to connect.

As you can see, there are enough vulnerabilities at the hardware or software level. Now let's look at how its individual components suffer at the hands of hackers.

Attacks on smart locks


The fact that a closed door can be opened not only with a key, but, for example, using a code or a Bluetooth signal from a phone, is no longer surprising, and many already use this opportunity.

But are “smart” locks safe and able to withstand a tamper, as their manufacturers promise? What will happen when professional hackers take over the test of their obstruction? And here is what : a few years ago, at the DEF CON 24 hacker conference, researchers Anthony Rose and Ben Ramsey from Merculite Security described how they attacked sixteen models of smart locks as part of the experiment. The result was rather disappointing: only four were able to resist hacking.

Locks of some vendors passed access passwords openly, in unencrypted form. So attackers could easily intercept them using a Bluetooth sniffer. Several locks fell on the replay method: the door could be manipulated with the help of pre-recorded signals from the corresponding commands.

In the light of the spread of all sorts of voice assistants, it is becoming increasingly relevant and breaking into a smart lock through voice commands. A few years ago, it turned out , for example, that if the owner's gadget is close enough to the closed door, then saying “Hello, Siri, open the door” loudly enough through the door, and you can be let in.

A common hacking scenario for most smart locks is the following: when an outsider gains physical access to a lock, pressing any buttons on it can authorize any gadgets.

Another interesting experiment by researchers from Pen Test Partners was devoted to checking the security of Tapplock brand locks. As it turned out, they can be unlocked without the owner’s fingerprint. The fact is that unlock codes are generated based on the MAC address of the device in the BLE network. And since the address is converted using the outdated MD5 algorithm, it can be easily figured out. Since Bluetooth locks have the ability to disclose their MAC addresses via BLE, an attacker is able to find out the address, “hack” it using the MD5 vulnerability and get a hash to unlock the lock.



Tapplock fingerprint lock
Source: Tapplock

But Tapplock’s vulnerabilities do not end there. It turned out that the company's API server divulges sensitive user data . Any unauthorized person can find out not only the location of the castle, but also unlock it. It is quite simple to do this: you need to create an account on Tapplock, take the victim's account ID, authenticate and take control of the device. At the same time, at the back-end level, the manufacturer does not use HTTPS. And you don’t even need any hacking or the need to brute force, because ID numbers are assigned to accounts using an elementary incremental scheme. And the cake on the cake - the API does not limit the number of hits, so you can endlessly download user data from servers. And this problem is still not fixed.

Attacks on video cameras


Public spaces of modern megacities are hung with cameras, like a New Year tree toys in a decent family. And the all-seeing eye does not just receive a live picture, but also understands what is on it. Even in our country at the 2018 World Cup, the face recognition system unmistakably caught fans who were denied access to the stadium.

While this way our life loses any privacy, it remains to wait for the attackers to pick up the keys to the "eyes" of video surveillance. And banal voyeurism will not be the only and not the main motivation of hackers for hacking video cameras. Often they are broken in order to create botnets used during DDoS attacks. In size, such networks are often not inferior, or even surpass botnets from “ordinary” computers.

There are several reasons for vulnerabilities in video cameras:


Often, cameras are attacked by the man-in-the-middle method, built in between the client and the server. In this way, you can not only read and change messages, but also replace the video stream. Especially in those systems where the HTTPS protocol is not supported.

For example, the camera line of a very well-known manufacturer had a firmware that allows you to change camera settings using regular http requests without authorization . With another vendor, the firmware of the IP cameras allowed, also without authorization, to connect to the camera and receive the image in real time.

Do not forget about the well-known vulnerabilities. For example, CNVD-2017-02776, penetrating through which into the camera, then through EternalBlue you can access the user's computer. EternalBlue's exploit, which exploits vulnerabilities in the SMB protocol, is familiar to many: it was he who was used to spread the WannaCry encryptor in 2017 and during the attacks of the Petya malware. And EternalBlue was included in Metasploit, it was used by the developers of the cryptocurrency miner Adylkuzz, the EternalRocks worm, the Uiwix cryptographer, the Nitol Trojan (also known as Backdoor.Nitol), the Gh0st RAT malware, etc.

Attacks on sockets and light bulbs


It happens that trouble comes from where you do not expect it. It would seem a trifle, light bulbs and sockets, what could be the benefit for intruders? As a joke, disable the system unit until you press the Save button in your favorite computer game? Or turn off the lights in the room where you are with the smart toilet?

However, the mere fact that light bulbs and sockets are in the same local network with other devices gives hackers a chance to profit with some rather secret information. Let's say your home is illuminated by Philips Hue smart bulbs. This is a fairly common model. However, in the bridge Hue Bridge, through which the light bulbs communicate with each other, there was a gap. And there were cases when through this vulnerability attackers could remotely seize control of the lamps.

Recall that Philips Hue have access to the home network, where packages with various confidential information “walk”. But how to get it out, if the other components of our network are reliably protected?


Philips Hue ZigBee Controlled LED Bulbs
Source Sho Hashimoto / Wikimedia

Hackers have done it like this. They made the light bulb flicker with a frequency of over 60 Hz. The person does not notice this, but the device outside the building is able to recognize the sequence of blinks. Of course, in this way you don’t "intent" a lot, but it’s quite enough to transfer any passwords or IDs. As a result, the secret information was copied.

In addition, Philips did not take care of enhancing protection when communicating light bulbs with each other in the local network, limiting themselves only to the use of an encrypted wireless protocol. Because of this, attackers could launch a fake software update into the local network, which would “spill” later on all the lamps. Thus, the worm will be able to connect lamps to DDoS attacks.

Smart rosettes are also subject to attacks. For example, in the Edimax SP-1101W model, to protect the settings page, only the login and password were used, and the manufacturer did not offer to change the default data. This leads to suspicions that the same passwords were used on the vast majority of devices of this company (or are used to this day). Add to this the lack of encryption when exchanging data between the manufacturer’s server and the client application. This can lead to the fact that the attacker can read any messages or even take control of the device to, for example, connect to DDoS-attacks.

Attacks on smart tv




Another threat to the safety of our personal data lies in the "smart" TVs. They now stand in almost every home. And the TV software is much more complicated than that of cameras or locks. Consequently, hackers have a place to roam.

Suppose a smart TV has a webcam, a microphone, and a web browser, where can it be without it? How can intruders hurt in this case? They can use banal phishing: built-in TV browsers are usually poorly protected, and you can slip fake pages to the user by collecting passwords, information on bank cards and other confidential data.

Another, literally, security hole is the good old USB. Swung a video or application on your computer, then plugged the USB flash drive into the TV - here you have the infection.

Who may need to know what programs the user watches and which sites he visits? A lot of people, in fact. Analysts of large corporations, consulting and advertising companies, for example. And this information is worth a lot of money, so even manufacturers do not disdain to build applications into their products to collect your statistics.

The threat here lies in the fact that user data can go "left" and get to the attackers. For example, a flat thief learns that from 9 am to 6 pm no one is at home, as the owners of the TV have a steady habit of turning it on while at home. Accordingly, it is necessary to disable the collection of unnecessary information and other logging of actions in the settings.

And such bookmarks, as you understand, are additional gaps for penetration. The story of Samsung TVs is well known: users complained that the integrated voice recognition system allows them to follow all their conversations . The manufacturer even indicated in the user agreement that the words spoken in the presence of the TV can be transmitted to a third party.

Conclusions and recommendations for protection


As you can see, when creating a “smart” home system, you should be extremely attentive to the components and their vulnerabilities. All devices connected to the system, one way or another at risk of hacking. Installers and administrators, as well as advanced users of such systems can advise the following:


Users less experienced recommendations are:

Source: https://habr.com/ru/post/445538/

More articles:


All Articles