ForeScout Technologies released an \u201cIoT Enterprise Risk Report\u201d (pdf) that identified seven IoT devices that can be hacked in as little as three minutes: IP-connected security systems, smart HVACs and energy meters, VoIP phones, connected printers, videoconferencing systems, smart light bulbs and smart refrigerators. Although the hack might take only a few minutes to pull off, it might take weeks to find and fix.Other \u201ckey findings\u201d of the report include:Should any of these devices become infected, hackers can plant backdoors to create and launch an automated IoT botnet DDoS attack.Cybercriminals can leverage jamming or spoofing techniques to hack smart enterprise security systems, enabling them to control motion sensors, locks and surveillance equipment.With VoIP phones, exploiting configuration settings to evade authentication can open opportunities for snooping and recording of calls.Via connected HVAC systems and energy meters, hackers can force critical rooms (e.g. server rooms) to overheat critical infrastructure and ultimately cause physical damage.Potential scenarios for after an IoT device is hacked include using compromised smart videoconferencing systems for spying via camera and microphone, disabling security cameras to allow physical break-ins, snooping on calls via VoIP phones and snagging private company information via connected printers. If an attacker were to exploit a smart light bulb, Wi-Fi credentials could be extracted and used to carry out more attacks. A smart fridge could be exploited so that an attacker obtains user credentials.The research, led by black-hat turned white-hat Samy Kamkar, includes an accompanying video, which is an especially interesting aspect of the report. In it, Kamkar shows off the dangers of soft target, easily exploitable IoT devices by hacking into a security camera and then showing what an attacker could actually do. Exploiting IoT is not just about building botnets for DDoS attacks.Real hack of security camera for total pwnage\u201cKamkar\u2019s research included a physical hack into an enterprise-grade, network-based security camera. Entirely unmodified and running the latest firmware from the manufacturer, the camera proved itself vulnerable and ultimately allowed for the planting of a backdoor entryway that could be controlled outside the network,\u201d ForeScout said. There are plenty of sites that list default username and password combos for IoT devices. Kamkar\u2019s hack took longer than three minutes, more like an hour, and he used the camera\u2019s default password to gain access to the device.\u201cThe attack itself can be automated in seconds,\u201d Kamkar explained. \u201cOnce a hacker takes advantage of it and gains access to the device, he or she can move around and do anything as the root user, such as planting a permanent backdoor.\u201dNext, Kamkar noted how many IoT devices have insecure management interfaces. An attacker could use default credentials to log in via the web interface.After checking out the device\u2019s ports, Kamkar shows the device using SSH (Secure Shell). He then connects to SSH, logs in with default credentials and gains root access. Many IoT devices run embedded Linux, he said, and \u201chaving root SSH access makes attacks easy to script and automate.\u201d+ Also on Network World:\u00a0Residential routers easy to hack +With root SSH, a hacker would have full privilege and gain complete control of a device. An attacker could \u201cuse it as a proxy to hit other systems in that network or even other organizations on the internet.\u201dAn attacker \u201ccan essentially SSH into that device and then bounce from there to any other IP address on the internet or any other machine on the local network.\u201d An attacker could \u201calso plant a SSH authorized key\u201d, which would allow an attacker to \u201cSSH in\u201d at any time in the future without needing a password. It wouldn\u2019t matter if the password were changed; the attacker could still log in and have full access to the local network.An administrator might change the password and believe it\u2019s all good, as \u201cnothing will appear out of place.\u201d Nevertheless, an attacker could install a \u201cbackdoor that makes an outbound connection or a reverse shell to assist\u201d in what an attacker can \u201ccontrol outside the network.\u201dThe attacker would have full control from a remote location to connect all sorts of attacks, such as ARP and DNS spoofing, or MITM attacks, without any ports needing to be opened on the firewall.The real kicker to this attack: If an administrator ever decides to change the password to the device, the reverse shell is implanted in the file system and continues to run and still provides the attacker with full access to the device [even though] the attacker no longer has the new password.\u00a0It doesn\u2019t matter if the device is rebooted, Kamkar said, the access will persist.As for botnets, an attacker can use the same backdoor across many devices. The devices would receive orders via a C&C server and could be used for massive DDoS attacks.If an admin set up the device on the internet with a public IP instead of the local network, Kamkar said the device still exposes the entire internal network to the attacker. \u201cOnce SSH\u2019d in,\u201d an attacker \u201chas full access to the internal network without ever having been on the network.\u201dForeScout\u2019s full report (pdf) has more information on how insecure IoT devices can be exploited, as well as best practices for visibility and control of the devices.