Lab expert examined two NAS models from different vendors, one Smart TV, a
satellite receiver, and a connected printer. As a result of his research David
Jacoby managed to find 14 vulnerabilities in the network attached storages, one
vulnerability in the Smart TV and several potentially hidden remote control
functions in the router.
In line with
its responsible disclosure policy, Kaspersky Lab does not disclose the names of
the vendors whose products were subject to research until a security patch
closing the vulnerabilities is released. All vendors were informed about the existence
of the vulnerabilities. Kaspersky Lab specialists work closely with vendors to
eliminate any vulnerabilities they discover.
Remote code execution and weak passwords: The most severe vulnerabilities were found in the
network-attached storages. Several of them would allow an attacker to remotely
execute system commands with the highest administrative privileges. The tested
devices also had weak default passwords, lots of configuration files had the wrong
permissions and they also contained passwords in plain text. In particular, the
default administrator password for one of the devices contained just one digit.
Another device even shared the entire configuration file with encrypted
passwords to everyone on the network.
separate vulnerability, the researcher was able to upload a file in an area of
the storage memory inaccessible for ordinary user. Should this file be a
malicious one, the compromised device would become a source of infection for
other devices connecting to this NAS – a home PC, for instance – and even serve
as a DDoS bot in a botnet. Moreover, since the vulnerability allowed the file
to be uploaded in a special part of the device’s file system, the only way to
delete it was by using the same vulnerability. Obviously, this is not a trivial
task even for a technical specialist, let alone the average owner of home
Man-in-the-Middle via Smart TV: While investigating the security level of his own
Smart TV, the Kaspersky researcher discovered that no encryption is used in
communication between the TV and the TV vendor’s servers. That potentially opens
the way for Man-in-the-Middle attacks that could result in the user
transferring money to fraudsters while trying to buy content via the TV. As a
proof of concept, the researcher was able to replace an icon of the Smart TV
graphic interface with a picture. Normally the widgets and thumbnails are
downloaded from the TV vendor’s servers and due to the lack of encrypted
connection the information could be modified by a third party. The researcher
also discovered that the Smart TV is able to execute Java code that, in
combination with the ability to intercept the exchange of traffic between the
TV and Internet, could result in exploit-driven malicious attacks.
Hidden spying functions of a router: The DSL router used to provide wireless Internet
access for all other home devices contained several dangerous features hidden
from its owner. According to the researcher, some of these hidden functions could
potentially provide the ISP (Internet Service Provider) remote access to any
device in a private network. What’s more important is that, according to the
results of the research, sections of the router web interface called “Web
Cameras”, “Telephony Expert Configure”, “Access Control”, “WAN-Sensing” and
“Update” are “invisible” and not adjustable for the owner of the device. They
could only be accessed via exploitation of a rather generic vulnerability making
it possible to travel between sections of the interface (that are basically web
pages, each with own alphanumeric address) by brute forcing the numbers at the
end of the address.
these functions were implemented for the convenience of the owner of the
device: the remote access function makes it fast and easy for the ISP to solve
possible technical problems on the device, but the convenience could turn into
a risk if the controls fell into the wrong hands.
and also companies need to understand the security risks around connected
devices. We also need to keep in mind that our information is not secure just
because we have a strong password, and that there are a lot of things that we
cannot control. It took me less than 20 minutes to find and verify extremely
serious vulnerabilities in a device which looks like a safe one and even alludes
to security in its own name. How would similar research end if it was conducted
on a much wider scale than just my living room? This is just one of many questions
that need to be addressed by device vendors, security community and users of
such devices collaboratively in the nearest future. The other important question
is the lifecycle of devices. As I’ve learned from conversations with vendors,
some of them will not develop a security fix for a vulnerable device when its
lifecycle is over. Usually, this lifecycle lasts for one or two years, while
the real life of devices – NASs for instance – is much longer. Whichever way
you look at it, it is not a very fair policy,” said David Jacoby, security
analyst at Kaspersky Lab.
The full text of the
research study ‘Internet of Things: How I Hacked My Home’ is available at Securelist.com.
Kaspersky Lab Kaspersky Lab is the world’s largest privately held vendor of
endpoint protection solutions. The company is ranked among the world’s top four
vendors of security solutions for endpoint users*. Throughout its more than 17-year
history Kaspersky Lab has remained an innovator in IT security and provides
effective digital security solutions for large enterprises, SMBs and consumers.
Kaspersky Lab, with its holding company registered in the United Kingdom,
currently operates in almost 200 countries and territories across the globe,
providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by
Vendor, 2012. The rating was published in the IDC
report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor
Shares (IDC #242618, August 2013).
The report ranked software vendors according to earnings from sales of endpoint
security solutions in 2012.
latest in-depth information on security threat issues and trends, please visit: