How do these IoT devices get hacked on your network? This question was sent to me by a listener of my Security In Five podcast. If a camera or toy is on my network connected to my routers, how is this accessible from the Internet and how do hackers exploit it? Through my posts and podcast episodes, I talk regularly about the security risks that are around us but the feedback made a good point, explain how. This blog post will do that and the episode released on June 25, 2018 will also talk about this.
Internet of Things (IoT) devices are commonplace. There is an obsession with enabling anything and everything with the capability to access the Internet. However, there are no standards, regulations or certifications of security that these devices follow. This means that each vendor can make their products as secure or insecure as they choose. This means people who buy these devices are at the mercy and often fall victim to poor security decisions that, in most cases, cannot be fixed to patched after the fact.
There are a few ways an insecure IoT device can be exploited and cause problems for you as a consumer. This post will try to explain it without getting too technical.
Device Broadcasting And Poor Internal Device Security
In my most recent IoT Strikes Again podcast episode I talked about a baby monitoring camera that was compromised and controlled by someone outside of the home. This attack/compromise was most likely done through poor internal device security of the camera itself. You can hear that episode below.
In order to have a device accessible from a web browser there needs to be a web server on the device to serve the pages. The network control on that device will have a port opened on the device to listen for web traffic requests. For example, it may have port 8883 open. To access the web page on the device you would enter the IP address with the port, internally this may be 192.168.1.40:8883. Here’s where the inherent problem is that exposes this to the Internet.
Your $400 wireless router maybe the top of the line for a router but that’s all it is, a router. Although there are functions to block traffic by IP and ports, off the shelf routers are not firewalls. That means, without detailed configurations on the router and other components, all traffic is allowed to and from the Internet. Once you plug in your web enabled device, by default, it will answer to requests from the Internet. In the picture below you can see the device flows out to the Internet, your public IP address from your Internet Service provider is what the world sees, and anything hitting your public IP on port 8883 can be accessed. The router will see a request to that port and route the traffic internally to the device that replies that it’s listening on that port. Bam, they are in.
The devices insecure configurations now come into play. Here are big security gaps that could happen –
- Hardcoded username/password on the device. If you have X device the admin user is admin/password and never changes for that model. That means anyone finding your device can login.
- No encryption. HTTP traffic can be seen. You username and password you setup can be read if they set up a man in the middle.
- Using Web Server software with known vulnerabilities. It’s not hard to determine what web server software is used for a device. Once you get the version you can research if there are any known vulnerabilities for that. If there are, hackers can use the known exploit methods and attack the device. This method is how 500,000 IoT devices get infected to become bots, how hackers can access the device and use that to access other devices on your network, steal credentials, files, plant malware, etc…
The Lack Of Consumer Level Network Firewalls
My router is a higher end model. What makes it higher end is in the speed and wireless power not in the administrative controls. In fact, when I purchased this one I was surprised to see the administration interface and capabilities were almost the same as a low-end model from the same manufacturer I have. As I look at the control to block traffic they are minimal. This is the problem on the wide problem of insecure devices and the prevalent spread of malware on these devices.
The consumer market and security work do not address network firewalls for the home consumers. There are options out there but nothing like wireless routers. I think there are a few reasons for this.
First, the routers market security capabilities on the devices and the regular user doesn’t have the knowledge to understand the type of security it provides and more importantly what security is not present.
Second, firewalls are hard to configure. Most people are lucky to get their one touch wireless routers setup and now to have to configure a firewall could be too much. There is no easy button and the learning curve is not worth the investment.
Third is a sad reality, people don’t care enough. Vendors don’t care enough to chase that market and regular users think they are secure enough and don’t care enough to demand it.
What A Firewall In Your Home Can Do
Network access control can slow and stop these insecure devices from ruining your identity and personal data. Firewalls can explicitly allow certain devices to access the internet and be accessed from the internet. Block all non-essential ports unless explicitly told that port 8883, for example, is allowed but only for this device. You can prevent other devices on your network from talking to each other. If a device is compromised, it can’t access your file share or your PC. There are so many other benefits and protections a home network level firewall could provide.
Examples of IoT
If you want to see how easy it is to search and find IoT devices in scenarios like I described, head to Shodan.io. Shodan is a search engine for IoT devices. I also have highlighted it in a podcast episode.
Be aware of the devices you are buying that have Internet capability on them. Research before you buy. Looks for articles and reviews. A little research can help prevent far larger security problems. This problem won’t go away soon so as a user you need to be more aware of what exactly you are plugging into your network. Reports say in the next 10 years we will have 50-100 Internet-enabled devices in our homes. If they don’t get the security issues addressed, this could be a dangerous trend that opens all of us to serious problems in the near future.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.