This week we take a bit of a short story format as I make my way through some crazy stuff surrounding the internet of things!
Check out https://whattheshellpod.com for some bonus stuff and to get set up on our discord and socials!
Intro:
When was the last time you bought something that you needed to connect to the internet to use? Maybe it was a an alexa, maybe smart plug, or even just a printer. Maybe you've got a pet cam to watch the little ones while you take a weekend away? What if I told you that each thing you connect to the internet presents a lock. A lock that can be picked. And once it opens up, there's a whole new world for hackers to look at. A very personal pick into your private life.
My name is John Kordis, and this week we're going to switch it up a little bit. Instead of telling just one story, I'm going to tell you a story of many things. More specifically an Internet of things. So come with my while I tell you a couple of smaller stories about some of the absolutely weirdest and wildest hacks of these devices, and explain to you What the Shell happened to make them such a problem.
Internet of Things:
I want to start the top of the episode here with a bit of a dive into what I mean when I say "An Internet of Things". Broadly speaking, the internet of things is any kind of piece of technology that has to communicate across the internet in order to function. Your first thought here might be to think of something like your computer, or your phone. And you wouldn't necessarily be wrong there but that's just a narrow bit of the full scope. Think about the concept of a "smart home". Everything that you're thinking about here is a part of that Internet of things. From a smart lightbulb, to your alexa, or even in some cases a fridge or oven. They all operate on some level, either tangential to or across the internet for their functionality to work. It's why you can turn your living room light on and off from your phone while you're on vacation. Even that is a pretty stereotypical look at what constitutes a thing on the internet. So let's zoom the scope out even further.
Do you have a new car? It's possible that it pulls firmware updates from the internet, or maybe you've got an app on your phone to control little things like remote starts. Maybe you've got a ring doorbell for security? Well that's something that again, needs that internet connection to alert you every time theres motion at your door.
Another zoom out. Maybe you've gotten a baby monitor, so you can check in on your newborn while you're at work and the nanny is over. Maybe you're a bit on the older side and using a new pacemaker with connectivity to your mobile device to give you medical information about your heart, or send that data to the hospital so they can recommend any changes to your medication?
It doesn't really stop. Like I said at the top of the show, if you've had to configure it to connect to your wifi, it's a part of the internet of things. And when you start looking at all these items, and begin to think about what the worst you can do with them is, it starts to get a little scary. It's not always scary, though, sometimes it's pretty interesting too. So let's start there and see how a casino gambled on their own security.
Let's start by making our way back to 2017. And for this scenario I'm going to put you in the role of a security analyst for an unnamed casino. Your job? Well you respond to alerts for things that may be abnormal on the network, or that might look like signs that you've been compromised. Recently, you've decided to pilot a new cool tool called Dark Trace, and that tool aims to help you identify those weak points. And almost as soon as it's looking at one device in particular it's noticing some pretty weird behavior. Specifically that this device had exfiltrated around 10 gigs of data out to an IP address in Finland.
The tool looked everything else it had its hands in, and said that this in particular seemed like an abnormality, given that no other device was connecting to that location, and that the device really wasn't communicating to much else any differently than other IoT devices.
So what was the evil plant here, the device that was causing all these problems for the casino? Well, it was a fish tank. You see, recently the casino had decided that in order to impress it's patrons they were going to up their game in terms of their display. They wanted to get some great new fishes and make sure that they were properly cared for. And a part of that effort meant that they wanted to get a sensor for the tank to monitor temperature and purity levels of the water. Naturally that sensor would be reporting to various tools and devices across the network to make sure things were adjusted as needed, so that meant hooking it right up to the internet.
On the backend of the sensor, it probably ran on some low level linux distribution that the attacker had used an exploited mechanic against, or perhaps the attacker had gone one level up and compromised the company that owns the sensors itself and gotten in that way. The report didn't give detailson the how of it, just that it happened. The attacker was here and identified and because they were smart, they were able to make out with 10 gigs of company data, some of which would have been highly coveted and saught after.
So what happened after they got in? Well, as we've talked about in the past, sometimes the best thing you can do is be patient. The attacker would mask their traffic in sporadic bits of communication across the network, trying not to do too much. Unfortunately for them that exfiltration meant that they'd end up burned because it was just too big of a move. And maybe that's what they were thinking too. It could very well have been that the attacker knew once they did this they'd be out and done. Not many details here were released but think about a casino and the kinds of information they might have had at their disposal. You'd have access to potential account information, high roller data, hotel info, maybe even security documents that might lead to a better way to maintain persistence?
I sometimes wonder if it was worth it, was the water just clear enough to justify this? Well, at least the fish were unharmed in this one.
Baby Monitor
Let's take it a bit more close to home though. This time I'm going to put you in the role of concerned parent. In order to keep a close eye on your baby you've gotten a nest camera for your baby's room. This way if you're out or in another room, you'll have visibility and awareness of what's going on.
Now, baby monitors aren't anything new, they've been around for quite a while. Albeit, maybe they haven't been around in the form of video as much until the last few years. Previously they'd been at least relatively secluded to radio frequencies though. That meant that you'd at least need to be in the immediate area if you someone was going to attempt to snoop, since these smaller radios were fairly limited in terms of range.
Now here's the scenario, you've put little Shellby down to bed, and decide to get ready for bed yourself and you're finally on your way to your first good nights sleep in a long time. Midway through the night you hear some beeps and you think it's odd but don't pay too much mind to it.
Then…something a bit more intense happens. The baby monitor that you linked that nest camera to? Well suddenly there's a mans voice coming out of it, and he's saying some pretty explicit things.
You dart awake, turn on the lights then the camera in your room activates. That voice you just heard? It's back and this time, it addresses you directly and it says
“I’m going to kidnap your baby, I’m in your baby’s room.”
This was the case with ellen and Nathan Rigney. The Rigneys bolted upstairs and no one was there, things were just as they should have been, and their child was passed out. So what happened? Well they were hacked.
A hacker had made their way into the account that controlled their home security network, which included the ability to broadcast out audio across some of the tools. That let the hacker have their way with tools and scare the living daylight out of the couple.
A similar, but less scary attempt happened to Andy Gregg in Arizona that same year. Andy had set up his nest in his home when he also heard a voice come out of it. But Andy seemed to get the other side of the coin, as this individual identified himself as a security researcher and wanted to let him know that he was vulnerable. It's not necessarily a responsible disclosure here but it was as good as I think this guy knew how to do. He claimed to be from a candian sect of anonymous and well, just listen to the conversation, parts of it were recorded!
I really can't imagine coming home and just being that chill having a conversation with a random guy through my security system. Props to Andy on this and honestly props to the hacker for being calm and collected and helping Andy get his way back into a more secure mindset.
So what happened to these two sets of customers? Well, it again goes back to something we've harked about on an earlier episode, namely that open source intelligence episode. These nest owners had some of their credentials compromised, and while not necessarily a compromise at NEST itself, hackers were able to take this data and plug it in across various accounts until they found one that worked. Here they just happened to find the nest accounts, and we saw both sides of the coin that the result could have landed on.
Kids Toy:
Okay, so you might be thinking to yourself that up until this point, 'yeah those seem like targets though. Cameras and high rolling casinos. What hacker wouldn't take a look'.
But what if we took a look at something else. How about a couple of kids toys. Specifically we'll start with Cognitoys Dino. It's a fun little thing, looking like a cartoon t rex, it integrates with IBM's Watson to let kids have some conversation with the two. It's an interesting take on a two way toy that seems like it would have been a fun addition when I was young.
But for as interesting as it was, it was also rather vulnerable. The device itself came with a little web interface that was vulnerable to injection attacks. That meant that if an attacker was already on the same network as one of these and it fed a specific request in, sensitive data could be leaked. This was demonstrated when an attacker was able to effectively use the toy as it's own network scanner. It mapped out every other device on the same part of the network using just this kind of attack.
Not only that though, it was found that there was plenty of plain text communication going on with the thing. Typically what you want to see is that traffic is encrypted when it's traveling across the network. That makes it so that when an attacker is just sitting there watching, it all would appear as hard to decode gibberish. Plain text traffic hasn't had anything done to it and will be pretty readable to anyone that's watching. With that plain text information, it was effectively possible to steal an owners wifi login information and further plant yourself in the network. It's crazy to me that these toys could be leveraged to effectively give persistent access to a network!
And that's not even the worst toy! In Germany, there was a doll called the "My Friend Cayla". Cayla was marketed as a friend for your child that listens, but apparently she listened a little bit too well. When security researchers started to look at her what they found was scary.
At first it started as privacy concerns. Researchers noted that if a kid talked to cayla about some of it's interests, say disney for example, that information might be given to third parties for marketing. Some of that was unfounded but it got the ball rolling on the discussions that would lead to an even heftier issue.
In 2017, security researchers found that the toys had an unsecure bluetooth device as a part of the listening capability. It helped the toy listen and talk to the child who was using it. The insecure bluetooth meant that it would be easy for hackers to potentially listen in on conversations through the doll. Taking it above and beyond just a breach of privacy through ad services and into a major security concern for families. It could offer a rather easy way to listen in on everything going on around the child! It was so much an issue that Germany would ban the toy and even recommend that families destroy it. Talk about a measured and appropriate response. I get it though, that was the only way to really guarantee they weren't going to be a problem.
Sex Toys
We're going to age it up a bit for the next one and move from toys into something a bit more private. I want to talk specifically about an issue that came to light in 2018 with some more adult kind of toys.
I think we all know there's a booming industry in the market of sex. And a part of that industry is aimed devices that are remote control. Whether it's because the settings can be more fine tuned that way, or as a way to give long distance relationships a bit more spice, remote control sex toys are starting to pop up in the internet of things. So much so, that security researchers have sometimes taken to calling this specific subset…..The Internet of Dildos.
Well. Back in 2018, one specific gadget ran into some hot water when the Vibratissimo was found to be exploitable. These toys had their own app and almost their own little social network where users could share experiences and search for partners. What they found was that from the high level, the database containing customer data was effectively public. It was stored in cleartext and readable to anyone who could find it. The data there included images saved, chat logs, sexual preferences, and yeah usernames and passwords).
So imagine you're an attacker and you've got the username and password. Now you can log in and control these devices without authorization from the actual owner. It presented a very private window into these users lives that they had trusted the company to protect, but was found to be just wide open.
And they weren't the only ones to have these issues. In that same year there were two other toys called the magicmotion flamingo, and realov lydia that were found to be equally prone to hacking scenarios like this one.
Thankfully it seems like the companies here learned their lessons and encrypted their data, but it wasn't without damage being done. Who knows what had been collected prior to the change and who may have been compromised. There wasn't a lot of depth to this attack, but really what I wanted to highlight here is how vast the internet of things truly is, and how far across our day to day life it spreads.
So we've hit on cameras, we've hit on toys for kids, toys for adults, and casinos. But I want to close this out with something that I found genuinely interesting and pretty scary as well. Let's talk about your car.
I mentioned it briefly earlier but there are reasons nowadays for your car to either have it's own wifi network or to connect to yours. It could be updates, it could be so that you can control certain aspects with your mobile device, or it could be just for some quality of life enhancements. Well, a couple of hackers named Charlie Miller and Chris Valasek found that with the Jeep Cherokee it presented a unique way in.
We'll start at the beginning. The exploitable service through Jeep was offered by a subcription and what they originally found was that after looking at the passwords that are generated automatically, it would be perfectly possible to brute force the car if they had the right informaton.
The wifi password was generated based on the date and time in which you first turn the car on with the multimedia system attached. That might seem like it's a big list to think about, and it is. But if you do your reconnaisance and find out when someone manufactured the car, even if it's just down to the right month, you can bring it to right around 15 million possible passwords. Valasek and Miller made a reasonable assumption as well that if they knew where it was manufactured they could limit to the day time of that area and split the number down to right around 7 million possible combinations. Now for a person that seems daunting but for a computer 7 million guesses is nearly nothing. The only limitations are the time it takes to send a password and receive a response, the fact that you need to be in range of the wifi antanea, and the fact that you may need to spread out some requests to avoid bringing down the system altogether.
What the end result came to, was that if Charlie and Chris followed a Jeep for an hour, with that information, they could brute force it. So once they got in, they found the multimedia system ran on a version of linux and proceeded as most normal hackers would. They looked for common issues in the OS, wiggled around a little bit, and landed on a couple key pieces of functionality they could exploit remotely.
The could change the radio, completely control the music player, and adjust the volume. Might not seem super scary at first but think about two scenarios. One, think about that baby monitor hack. Imagine if you were driving and someone's voice just came out of the speaker threatening you. And two, this one comes from a kaspersky.com article about the situation, imagine the potential issue if you're driving at 65mph and suddenly it's full volume static. The pure jump scare factor presents a possibility of endangerment on its own.
Now, there's more to it than just this though. That was just hacking the multimedia system of the car. The head unit for these cars connected via a sprint network and by setting up their own base station for a cellular network, the hackers were able to analyze traffic and effectively find any car that communicated in a way which signified that it could be vulnerable. Narrowing it down to a specific car proved challenging but they were able to do it. So now they had a bit more remote capability.
What about a bit more in the way of impact though? How could they make a bigger splash here? Well the car is something called CAN BUS. This is the internal network of your car. Yep, your car is a network. Might be something you haven't thought about but if you've got a modern car you're a network on wheels.
It connects all the big components of the car, to inlcude the eninge, the transmission, sensors, prety much anything that might need a computer assist! To the auto designers credit this is pretty segmented from the multimedia server so access wasn't guaranteed right away. But there was a middle man that might help facilitate it, called the V850 controller. The controller talked to each of those components and was able to give a route into the CAN bus for our intrepid duo.
By tricking the controller into installing a fake firmware update they were able to no longer just listen to what the CAN was doing through it, but also give it directions. Think about that, they could now give directions, to the piece of equipment that controls everything. Here's a list of some of the things they did.
- They could control the steering wheel
- Pump your breaks
- mess with your ac and locks
- even cut the transmission
And there you have it. They own your car and can effectively make it do whatever they want. It's insanely scary and their hack led to a rather large recall of cars to make sure this didn't happen. Even if it took Chris and Charlie years to do this, they're just two people. Imagine throwing the effort of a nation state behind this. With resources like that it's possible to cut that time down significantly.
And I want to touch on one other thing. That subscirption multimedia service. So even if a hacker can't get directly at the car like we see here, there is a bit more to worry about. Upstream a little bit is the Uconnect platform that would have enabled the some of that minor kind of exploitation, and opened it up to a much wider audience. Uconnect is the tool that's loaded into these computers for entertainment, gps, and general functionality that supports the user in their car. But as we've said they'll need to connect remotely to Uconnect servers to get updates or for troubleshooting.
What these hackers found was that if Uconnect had been compromised upstream, it would be possible to do these some of these hacks across millions of cars. And if you think that's not a big deal, Uconnect probably has their stuff together, I encourage you to go back and listen to episode one again. The Colonial Pipeline thought they had their stuff together too, but one weak link in the chain brought the pipeline to a grinding halt.
What I'm saying here, is that by using these tools, you're inheriting a risk I don't think many people realize they have. Because now we're adding a point of failure here in the form of the upstream server. And there are ways to prevent this, in fact many companies have implemented the kind of segmentation techniques needed to do this. But as with anything, once a proof of concept is shown, it's only a matter of time before people dive even deeper and try to make their own way that might cirumvent any kind of fix.
Shodan: IoT Access
So we've talked a bit about the common theme here being that what tends to happen is that credentials are compromised and the attackers login, or they spend years trying to worm in through small exploits, but there's more around than just that. There's also just ways to do reconnaisance and find your own targets that could be just as vulnerable. At any given time, there are thousands of scanners crawling the internet just cataloging everything they find and waiting for people to find the diamonds in the rough. One such tool is free and super easy to use. It's called shodan.io. You can go take a look there now if you want. By just typing in camera to their search engine it will show you hundreds of thousands of cameras freely accessible to the internet that you can just peer in on. I'm looking right now and one that I can see already that is a bit questionable is clearly a personal garage. It's more than cameras too, there's plenty of other things on the sites, but I just wanted to demonstrate to you how easy it is to just find something like this within a minute and a half of searching. It's a truly bizarre and amazing capability we've got that, it's entirely possible, might be spewing out something of yours one day if you're not careful.
Fin:
So what can you do about this? It can seem pretty scary, knowing that all these modern accomodities can so easily be turned against you. But as with everything in our lives, it's all about calculating the amount of risk you're willing to take for the convenience. I'm no better than anyone we've talked about today. I've got my own suite of IoT devices that I allow to live on our network as a part of life. It makes things easier sometimes and I accept the risk that comes with it.
So what do you do to help kind of mitigate this risk? Well it's nothing you probably haven't heard from me and whatever other podcasts you listen to on the topic.
To start, you use a bit more of a complex password. And I know there are gonna be some of you out there rolling your eyes at this, but just get a password manager. They'll take care of the complexity for you and as long as you remember that single password to get in, the rest is on them.
The other thing you can do is enable that two factor authentication. That's the tool that either texts you, emails you, or relies on a pregenerated code from a separate application to get you in in addition to your password. It's that concept of something you have, the code, and something you know, the password, working together to make it a bit harder for someone to take control of your account without you knowing.
If you want to go a bit more nuclear with it you can always run everything yourself. There are security systems that operate on a bit more of a closed loop network, out of your own home, that you can use for example. In that case you can have a system that you control and doesn't ever need to touch the internet. That's not super cost or time effective and comes with the responsiblities of maintaining your own uptime and equipment though. Like I said, it's about the price of convenience vs privacy when you do stuff like this, so you've gotta consider that too.
The last option really? Just don't do it. At the end of the day these aren't really necesseities are they? You don't need an alexa or google home. You don't necessarily need the smart tv or appliance. They just make things easier. And if you want them, who am I to knock you for it? After all, I've accepted some of this risk into my own life, but I've taken the precautions where I could to make sure it doesn't come back and bite me. As can you. At the end of the day, we have the responsibility to secure ourselves just as much as the manufacturer in some cases. So where do you draw the line?
That's this weeks episode, thanks for listening to me explain What the Shell is going on with the Internet of Things. I've got a couple fun things I wanted to plug on at the end of this episode so bear with me for another minute or two if you can. The first, is that I recently made an appearance on the "So You Wanna Be In IT" podcast. It's a great podcast and the hosts Dean and Pat are great guys that are aiming to help people just getting started in the field find out what kinds of tips and tricks can help out. I talk a little bit about finding mentors and the kind of attitude I had when I first started as a helpdesk way back when. So if you're interested I encourage to go give them a listen.
The other thing I wanted to plug is that on Friday, February 11th at 6:30 PM EST I'll be in the discord audio chat for a bit so you can feel free to come by and have a talk with me there. I'm going to try and have these a bit more frequently because a couple of listeners out there expressed some interest so if you're around you can feel free to join in. The link to the discord channel is on my website, whattheshellpod.com. You can head there to get the invite and check out all the ancillary material from this weeks episode as well!
That's all for now. Make sure you tell a friend or a coworker about the show if you enjoy it and I'll see you all in two weeks for our next episode.