April 18, 2018
The Internet of Things is more vulnerable than previously proven. Up until now the most common attack via IoT device has been to enlist thousands of them into botnets. Another method of attack is to find entry via a weak IoT device to conduct a ransomware attack. Now, IoT security firm Senrio has demonstrated that attackers can jump from one IoT device to another, without moving through PCs and servers, making their path even harder to discover. In other words, one vulnerable IoT device can create network disruption.
Wired reports that, according to Senrio vice president of research M. Carlton, “an attack like this shows why it’s important to know what’s really on your network.” IoT devices are risky for other reasons: “manufacturers tend to patch vulnerabilities slowly, if at all,” and each model of each device relies on “inscrutable, proprietary code … making it difficult to create one-size-fits-all security scanning tools.”
Large corporations are also more likely to spend their resources on “PC and server patching,” rather than wrangling IoT devices.
At the RSA Conference this week, Senrio will present details regarding an attack that “starts by targeting a security camera that is still vulnerable to an inveterate IoT bug the researchers disclosed in July, known as Devil’s Ivy,” which performs a factory-reset on the camera and then takes over root access, thus gaining full control. The attacker can then view the feed and can, “simply springboard from the camera to attack the router next.”
“Rube Goldberg-style IoT exploitation is not only possible, it is actually getting easier these days,” said IoT defense firm Red Balloon researcher Ang Cui. “We’re looking at a fitness tracker hacking a smart speaker, a smart speaker hacking a thermostat, and the thermostat hacking the rest of the network. It’s all laughs until that thermostat connects to a power plant or an embassy.”
Business Insider reports that on such serious hacks via thermostats, refrigeration systems, HVAC systems and Alexa devices. Darktrace chief executive Nicole Eagan related the anecdote of a casino “hacked via a thermometer in an aquarium in the lobby.” The attackers leapt from the thermometer to the casino’s database of high rollers and pulled it up into the cloud.
Robert Hannigan, former head of the British government’s digital spying agency, Government Communications Headquarters, “agreed that hackers’ targeting of Internet-of-Things devices was a growing problem for companies,” noting that he saw a bank that was hacked via its CCTV cameras. He “called for regulation to mandate safety standards.”
“The market isn’t going to correct itself,” he said. “The problem is these devices still work — the fish tank or the CCTV camera still work.”