Samy Kamkar hacks IoT security camera to show exploitable dangers to enterprise

ForeScout Technologies released an “IoT Enterprise Risk Report” (pdf) that identified seven IoT devices that can be hacked in as little as three minutes: IP-connected security systems, smart HVACs and energy meters, VoIP phones, connected printers, videoconferencing systems, smart light bulbs and smart refrigerators. Although the hack might take only a few minutes to pull off, it might take weeks to find and fix.

Other “key findings” of the report include:

• Should any of these devices become infected, hackers can plant backdoors to create and launch an automated IoT botnet DDoS attack.
• Cybercriminals can leverage jamming or spoofing techniques to hack smart enterprise security systems, enabling them to control motion sensors, locks and surveillance equipment.
• With VoIP phones, exploiting configuration settings to evade authentication can open opportunities for snooping and recording of calls.
• Via connected HVAC systems and energy meters, hackers can force critical rooms (e.g. server rooms) to overheat critical infrastructure and ultimately cause physical damage.

Potential scenarios for after an IoT device is hacked include using compromised smart videoconferencing systems for spying via camera and microphone, disabling security cameras to allow physical break-ins, snooping on calls via VoIP phones and snagging private company information via connected printers. If an attacker were to exploit a smart light bulb, Wi-Fi credentials could be extracted and used to carry out more attacks. A smart fridge could be exploited so that an attacker obtains user credentials.

The research, led by black-hat turned white-hat Samy Kamkar, includes an accompanying video, which is an especially interesting aspect of the report. In it, Kamkar shows off the dangers of soft target, easily exploitable IoT devices by hacking into a security camera and then showing what an attacker could actually do. Exploiting IoT is not just about building botnets for DDoS attacks.

Real hack of security camera for total pwnage

“Kamkar’s research included a physical hack into an enterprise-grade, network-based security camera. Entirely unmodified and running the latest firmware from the manufacturer, the camera proved itself vulnerable and ultimately allowed for the planting of a backdoor entryway that could be controlled outside the network,” ForeScout said.

There are plenty of sites that list default username and password combos for IoT devices. Kamkar’s hack took longer than three minutes, more like an hour, and he used the camera’s default password to gain access to the device.

“The attack itself can be automated in seconds,” Kamkar explained. “Once a hacker takes advantage of it and gains access to the device, he or she can move around and do anything as the root user, such as planting a permanent backdoor.”

Next, Kamkar noted how many IoT devices have insecure management interfaces. An attacker could use default credentials to log in via the web interface.

After checking out the device’s ports, Kamkar shows the device using SSH (Secure Shell). He then connects to SSH, logs in with default credentials and gains root access. Many IoT devices run embedded Linux, he said, and “having root SSH access makes attacks easy to script and automate.”

+ Also on Network World: Residential routers easy to hack +

With root SSH, a hacker would have full privilege and gain complete control of a device. An attacker could “use it as a proxy to hit other systems in that network or even other organizations on the internet.”

An attacker “can essentially SSH into that device and then bounce from there to any other IP address on the internet or any other machine on the local network.” An attacker could “also plant a SSH authorized key”, which would allow an attacker to “SSH in” at any time in the future without needing a password. It wouldn’t matter if the password were changed; the attacker could still log in and have full access to the local network.

An administrator might change the password and believe it’s all good, as “nothing will appear out of place.” Nevertheless, an attacker could install a “backdoor that makes an outbound connection or a reverse shell to assist” in what an attacker can “control outside the network.”

The attacker would have full control from a remote location to connect all sorts of attacks, such as ARP and DNS spoofing, or MITM attacks, without any ports needing to be opened on the firewall.

The real kicker to this attack: If an administrator ever decides to change the password to the device, the reverse shell is implanted in the file system and continues to run and still provides the attacker with full access to the device [even though] the attacker no longer has the new password. 

It doesn’t matter if the device is rebooted, Kamkar said, the access will persist.

As for botnets, an attacker can use the same backdoor across many devices. The devices would receive orders via a C&C server and could be used for massive DDoS attacks.

If an admin set up the device on the internet with a public IP instead of the local network, Kamkar said the device still exposes the entire internal network to the attacker. “Once SSH’d in,” an attacker “has full access to the internal network without ever having been on the network.”

ForeScout’s full report (pdf) has more information on how insecure IoT devices can be exploited, as well as best practices for visibility and control of the devices.