In several previous blog posts we have already shown to you the opportunities, but also the enormous dangers of the Internet of Things (IoT). Now let us introduce to you the IoT from a completely different viewpoint, that is, our penetration testers’. At the InfoGuard Security Lounge of June 20th, 2017, they gave an impressive show of how easy it is to crack everyday IoT devices. Read ahead and see what they have found, and what a penetration tester does in general!
The eighth edition of the Security Lounge, with its motto «Business 4.0 thanks to cyber security – artificial intelligence as key to success» was once again a full success. Our internal specialists, customers, partners and external experts provided first-hand experience of where our trip is taking us, and how you can protect yourself effectively from risks. Our penetration testers have shown a completely different insight into the world of the IoT, based upon real cases. At InfoGuard they strive daily to simulate cyberattacks, and find vulnerabilities in the security infrastructures of our customers; and they are more creative than you would imagine! Our lateral-thinking staff employ methods such as technical audits, targeted penetration tests, e.g. to check a Web application, social engineering techniques (spear phishing, malware attacks, physical attacks on site) and also searches in social networks, in the Internet of itself, or in the Darknet. This leads very close to a real attack, and the testers can play proactively. The identified vulnerabilities are then eliminated by deploying specific controls, to prevent a worst-case scenario.
To prepare the presentation, our penetration testers examined several everyday smart IoT devices – and the results were appalling. But let us start from the beginning… What is an absolute must in every office? Of course, good food! At InfoGuard we have an intelligent fridge, which receives all our employees’ personal data through their badges, including food consumed and credit card number: the ideal target for a hacker. After analysing the communication between the fridge and the backend, our pentesters could spot several vulnerabilities, which allow querying the badge’s identification number (UID) of any user – and it can be done over the Internet. By using appropriate hardware, our testers could generate a user’s RFID (Radio Frequency Identification) signal, and have lunch at the expense of someone else. Cool, isn’t it? And what if the same UID is used by many different systems, for instance the main access control system to the company? If the access control readers are happy with the UID and do not ask for further authentication, then these devices can also be cracked, which was also proved at the electronic main access door. By the way, the manufacturer of the fridge fixed the vulnerability in a flash – which is how it should be.
To steal a car, present-day thieves do not need a crowbar anymore. For an inside bet, our specialists had a bit of fun and in one split minute they cracked a colleague’s car. They managed to record the signal of the key, undetected, while the key was out of reach of the car. Then they used a SDR device to reproduce the signal issued by the key to open the car, before the user of the car could send the signal himself. So the colleague came out undamaged – except for having to buy lunch for his colleagues.
Finally, they demonstrated a worrying case, one which should be taken seriously, and which is unfortunately not a rare one. Even in our homes we have countless smart devices, in which we save our personal data. What if these devices should be abused, and intimate details of our private life should make it into the net? In this case the hackers succeeded in attacking a baby monitoring system, made by a well-known manufacturer. The special issue with this model is that it can be driven through an app, and the child can be watched through a smartphone.
Initially the experts stumbled upon several «fundamental» vulnerabilities, which apparently had been there for a long time. But our penetration testers found out even more: the server with which the camera communicates, is hardly protected at all. The server records when the camera is online, and the device’s IP address. When the camera is switched offline, it disconnects from the server. It is now easy to access the server pretending to be the baby monitor, and capture the password, which is automatically sent to the server when the app is fired. Moreover, by writing specific software it would be easy to record all currently logged-in cameras, including their IP addresses. With the smartphone app it was easy to hack the cameras, for instance to capture the recordings made by the device. But what shocked the experts most, was that apparently the same infrastructure is used by several different manufacturers, which makes them all vulnerable to these attacks against each other.
You will have noticed that IoT devices must be treated with care both in the business and at home, especially when cloud services are involved. Our experts advise against devices which establish undocumented connections to external cloud services. Enterprises should place their systems regularly on the test bench, and let external experts find possible vulnerabilities. This is where our penetration testers come in. Our cyber-attack simulations go beyond the normal scope, unlike penetration tests, which are usually limited to checking a Web application or a perimeter. However, to an attacker it does not matter whether he comes to the target information by a zero-day exploit, an insecure Web application, a known IT vulnerability, or an employee: all he wants is the result. In InfoGuard’s Cyber Attack Simulation, all limits are removed; and the creativity of our experts has no boundaries! You define the budget for the test, and we show you how far a hacker can go with this budget.
Did we awake your interest? Here you can learn more about our Cyber Attack Simulation!