It's that time of year, what better way to hop back in than to talk IoT and holiday hacks.
Discord: https://discord.gg/bJauPBBhHn
Website: https://whattheshellpod.com
Instagram: https://instagram.com/shell_pod
IOT Part Three
We're back! Apologies for the stutterstep start there with the last episode. I'm sure a lot of you get it, but life has a way of throwing a wrench in things every now and then to make things more interesting. Just after publishing the return episode, I was offered a new job, and honestly one that was essentially my dream gig for where I'm at in my career right now. I won't go too into it, but if you'd like to know more feel free to reach out on the discord. That's all to say that I'm not in the business of giving anything less than 100% effort, so I pressed pause again and took the time to get myself rooted in my new role before I pushed out another episode. Now I've got a few in the bank so I'm ready to get rolling.
I hope you're all getting ready for the holidays and settling in after what I'm sure was a very busy time in your life. November sure has thrown a lot of surprises to the world this year, but one thing I think we can all count on is a holiday sale. If I timed this right, we should be coming up on your favorite time to make some new purchases. Could be black Friday, could be cyber Monday. Someone, somewhere is going to try and get you to make some fun buys in the next few weeks. Maybe you're thinking about setting up a new Alexa or Google home device. Maybe you you decided that you're going to get a nannycam or a pet monitor. Hell, maybe you went all out and got that new smart fridge you've seen so many commercials for on your smart TV feeding you smart ads. Well, what if I told you that these little treats come with a price? What if I told you that some of your things, might not be as safe as you'd expected?
My name is John Kordis, and this week we're going back to a familiar topic that we've covered in the past for our first threepeet episode. We'll switch it up just a little bit from the usual single story model and Instead I'm going to tell you a story of many things. More specifically we're going to talk about that Internet of things and What the Shell else we might not have covered on the last episode.
So join me this week so I can talk to you a bit about some major breaches in privacy, some interesting stories, and how your fridge might be moonlighting as a hacker without your knowledge.
Now, before we get into the hacks and craziness, I feel like I should include my normal bit of a refresher for anyone that might not be super familiar with IoT devices. And when I say IoT I mean the "Internet of Things". Broadly speaking, the internet of things is any kind of piece of technology that has to communicate across the internet in order to function. In the past few years that term has largely become associated with things like home security systems, personal assistants, and a myriad of other app controlled life assistance bots. But really, it goes beyond that. I said it in the intro, maybe it's a fridge that lets you peak in it remotely or has a built in android tablet that lets you order food. It could be your smart lights or your home router. Or more seriously, it could be you medical alert system, your car, or your home heating control…
All of these things that reach out to the internet for operation and control make up the Internet of Things. If you've ever had to sync it to your home wifi, it's probably part of it. For any of my newer listeners, this isn't the first time we've had this discussion. If you want, you can go back and check out episode 12 for stories about how even things like sex toys can get hacked.
So, to start, let's talk about some kind of scary numbers. Last year, Checkpoint solutions did a really interesting study that I'll link in the transcript at whattheshellpod.com, that talked about the increase in attacks on IOT devices year over year. They stated that 54% of organizations were targeted by attacks attempts each week on IoT devices, averaging almost 60 attacks each. That number itself is 41% hire than 2022 and according to them triple the number from 2 years prior. What's the reason for this? Well, it's partially in the name. Many of these devices can be connected to the internet or external facing networks to allow for remote access or compatibility. It could be something like a router, or a security a camera as we've talked about in the past.
Looking back at 2023, there were some clear winners in terms of what was impacted though:
MVPower DVR Remote Code Execution: This exploit impacts an average of 49% of organizations every week.
Dasan GPON Router Authentication Bypass (CVE-2018-10561): impacts 38% of organizations weekly.
NETGEAR DGN Command Injection: impacts 33% of organizations weekly
D-Link Multiple Products Remote Code Execution (CVE-2015-2051): impacts 23% of organizations weekly.
D-Link DSL-2750B Remote Command Execution: impacts 14% of organizations weekly.
You can see here a lot of these are router based vulnerabilities, likely because of how common they're stood up, let alone stood up incorrectly or incomplete. What do I mean by incorrectly or incomplete though.
Well, right now I'm going to talk about something that's been the bane of my existence for a while: default credentials. You know those default usernames and passwords that come pre-installed on your router or any other IoT device? They're meant to be changed right off the bat, but let's be real, how many people actually do that? Not enough, that's for sure. I'm certainly guilty of it in the past. I think a lot about people moving, which is a notoriously easy going and non-stressful time right? Toward the end of a move, all you really want is your internet to work and to get settled in. I think a lot of people are guilty of just clicking through the setup without actually making sure they're set up secure. They might click skip for now a few times, or not consider that they might need to change that starter password that the router came with.
To give you some examples, those starter username/passwords are often as simple as "admin/admin" or "user/user." They're widely known and easy for attackers to exploit. On top of that, in a zone like the internet, they're also easy to automate. Hackers use wordlists containing these default usernames and passwords to perform brute force attacks. Essentially, they bombard your device with these commonly used credentials until they find a match, and if they can get any kind of operating system fingerprint beforehand, they can narrow it down to make it look less suspicious from the outside. It's alarmingly easy.
Default credentials are like a welcome mat for cybercriminals. They know those generic passwords and can easily break into your devices if you don't change them. Once they’re in, it’s a playground for them to mess around with your network, steal your data, or even use your devices as part of a larger attack. So, really, if there's one thing you take away from today's episode, let it be this: change those default credentials. It's a simple step, but it can save you a lot of headaches down the line.
It's such a simple and important step even, that the united kingdom recently became the first country to ban IOT devices from using any form of default credentials. The law took effect in April of this year, saying that "“The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared. If the default password is used, a criminal could log into a smart device and use it to access a local network, or conduct cyber attacks,”. That's not to say that it isn't done in other places, but it's slowly becoming more and more the standard instead of the exception. If you've recently switched service providers for your internet you may have noticed this if you leased a router from them. A lot of vendors like comcast are using a simple formula of random adjective, random noun, and a number to give you a unique password. Maybe something like slipperlysquirrel598.
There's a lot of ground I could retread though, the fact that BotNets use IoT devices, the fact that there's also the user security portion to consider. But let's get into some of the more interesting hacks I've uncovered and talk about some fun, and not so fun, examples of what can be hacked and how.
I want to start with one that surprised me a bit that I read about this summer. I don't know about you, but in the summer I like to grill. I'm not a nut about it, but I've got a Bluetooth thermometer that monitors what I'm cooking because I like to be precise. I've even toyed with the idea of getting a grill that could do some of that for me, something that would let me smoke meats overnight or for long periods and take just a little bit of the stress off of it.
But what if a threat actor could come in and do something worse than hack my toothbrush. What if they could ruin my barbecue? Well that was exactly the case when security firm Bishop Fox's Nick Cerne found that Traeger grills could be impacted by a vulnerability that resulted in the ability for an attacker to abuse the built in API. That API if you'll recall is a coding resource to help send commands to the grill from things like a mobile application. The team was able to quote
"
able to remotely shut down the grill (belonging to an employee not on the research team) and also to increase the temperature. In this case, the researchers changed the temperature from 165 degrees Fahrenheit to 500 degrees Fahrenheit.
“Instead of being smoked into a delicious meal, the tofu was reduced to a blackened, inedible crisp"
I've got a link in the transcription to the technical details here but it demonstrates the calls they made and what would happen as a result
https://bishopfox.com/blog/methodology-for-traeger-grill-hack
Ultimately, one of the things that did offer a slight sense of security was the fact that Bishop Fox was not able to actually ignite the grill remotely. That at least means that an attacker couldn't just turn my grill on when I'm not home…
Let's take it indoors though on this little journey of IoT devices. In this hypothetical let's just say I've got a lot of smart home devices to help minimize the effort expended throughout the day. So what do I do while I'm waiting on my grill to cook up something good for dinner? Well, I tell me robot vacuum to clean the floor for the guests that are coming by later.
Robot Vacuums used to be something of an eccentric or lavish thing, but now I know a bunch of people that have opted to bring them into their daily life. And I get it, after a long day at work, not everyone wants to do the chores they need to do to maintain their home. So we offload. And this holiday season you might look at something like a Roomba or an EcoVacs system.
But what if I told you that EcoVacs in particular had a history of not necessarily being the most security oriented company. At first you might think, well big deal..my vacuum doesn't care about security. But start to consider what actually makes your vacuum tick, like let's say… the onboard camera? Well, Dennis Giese had found a way to exploit EcoVacs systems from up to a 140 meters meter. For the non-metric audience that's about 460 feet. And to put it in perspective for our sports fans that's about 1.5x the size of an American football field, close to the same for the average soccer pitch as well.
So he didn't need to be right up close and personal with these items to perform the attacks he was doing over Bluetooth. He just needed a strong antenna and the know-how to try.
Dennis was able to build a payload that accomplished a myriad of tasks. Let me just read to you what he was able to do
Access all the device logs
Obtained Wif Credentials and network access
Access to all sensors on the device
Access to the onboard computer of the system
So let's run through some of those problems one by one and say, well why is that such a bad thing? Let's say I'm an attacker targeting you, in particular. If I'm able to see the logs of your ecovacs I might be able to put together when you scheduled your machine to run, and then start to profile when you were and weren't anticipating being at the house. Sure, that one is kind of defeated by physical observation but it's still something interesting that could be done.
Let's get a bit meatier in it though. Let's talk about the sensors and onboard computer. Because what this means for you is that the onboard microphone and camera tied to the vacuum to help it navigate are completely in the control of the attacker. Dennis shared some pictures of the security test he performed that I've got on the website, whattheshellpod.com, and you can see the view as the robot comes up on his partner in this process making a coffee. And in a second picture, you can see the attacker outside the building in question, just enjoying a day on the lawn. Honestly, on a nice day, he doesn't like anyone that would draw any attention, but what he's doing is running a small level of surveillance.
And I think some of you may have cuaght on, but I did skip over one of the listed items that I'm coming back to now, because the impact is potentiaDolly massive. That's the wifi credentials and network access.
This is one of the things that scares me the most. The entry point into every other device on your network. I don't often talk about my job on the show but this is one of the times I'll bring it up. I'm in Attack Surface Management. That's profiling the entry points, the security concerns, and trying to reduce it. There's a lot more to it but just consider that. So if this roomba has access into my home wifi, what does it get? Well let's assume I'm a normal user and I haven't set up a separate IOT network.
They get access to a potentially commonly used password if I reuse the wifi authentication
They may get access to the router that can be added to a myriad of botnets
More importantly, they can see what else is on the network.
I'm taking the viewpoint of an average citizen right now, not me as the cyber professional, and not you as the cyber enthusiast. So many people just live day to day without updating their PCs or devices. It's why so many are switching to a more automated update model, so that you don't need to interact with them to do it. I know even in my own family growing up, some pc's just stayed on and we didn't update them very often.
Well, when they're not updated they're just accumulating potential exploits. And here, what we have is an attack chain. You take the Ecovac robot as an entry point and pivot laterally in the network to an out of date PC with minimal protection. Then they've got your daily driver and access to exploit, extort, and scam their way into even more.
I've got two more stories about IoT to tell you then we'll close it with some hypotheticals. Let's continue the move from outside the home to in. In fact, let's take it to the most private part of your life, your sex life. We've talked in the past about how hackers could potentially cause some… let's just say less than ideal….problems with IoT Sex Toys, but late 2023 saw some instances of malware that targeted Lovense, a suite of adult toys that were tied to an app and in turn the internet of thing.
So what, or who, is Lovense? They're a Singapore based company that does "smart" adult toys that can be used by long-distance couples. If you want to use it right and properly, you'll be connecting it to their app to give you and your partners the ability to control it. Sounds fine in and of itself, but consider that to get that remote access, it's going to be going online. Some of you might think there are a couple easy points here, like well it's not like they have cameras or microphones right? True to that, but there is still a lot in their book to choose from for operational context.
In an article from NordVPN it was noted that
"In 2017, a Reddit user discovered that the Lovense Remote app recorded a six minute audio file of a dildo session. An official Lovense representative replied that the file was only stored in the application’s local folder as a temporary cache file and wasn’t sent to the company’s servers. Also, it turned out that the so-called “minor bug” only affected Android users. Soon after the complaint, Lovense fixed the bug for their latest app version."
And I have to keep reading this article a little bit because it's got a hilarious bit of wordplay. It went on to say that
"Earlier that year, Lovense was in another tight situation, this time involving their butt plug Hush. "
That was referring to when a security researcher named Giovanni Mellini discovered that the device was prone to man-in-the-middle attacks making it possible to pair it with a laptop without authentication and make the butt plug vibrate.
And it's possible to do this with other sex toys as well. Because many of these apps involve an app in the middle to communicate, the signals that control them are ripe for exploitation, and I guess so are you in this case…
I think it's funny that the NordVPN article offers a "How do I know if my Lovense toy is infected with malware?" . My guess would be some kind of std test but that's neither here nor there.
They would go on to say that it's typical behavior of malware transferred via an app like this involves a rapidly depleting battery, lag on the phone, random reboots. But if I'm being honest it feels like that's just what happens when the OS moves past your phones ability and you're getting off cycled by the manufacturer. I don't think anyone would immediately see one or multiple signs on that list and think "Malware".
Ultimately, the easiest way to protect against sexy malware is to just keep the device off and lock down the app real with a good password and controls. I mean, if I'm being honest the real easiest way is to just use the old fashioned toys that don't connect but to each their own.
It's difficult not to see how this could be used against someone though. Imagine if they took a 6 minute audio clip of an intimate moment in your life and ransomed it off to you or auctioned it off online. These are sometimes the most guarded parts of people.
There was another instance last year in a similar vein too where a chastity belt that could only be opened with an app was under scrutiny for a similar kind of hack.
A firm called Pen Test Partners discovered a toy manufacturer named Qiui had a vulnerable lock that could trap users inside of it if it was exploited properly. In some cases, because it didn't have a physical lock that might end up meaning an angle grinder or heavy tool would be needed to free you from it. I'm sure rapidly spinning metal near your genitals if worth the risk, right? And once again, like most companies because they ask for so much when you install the app on the phone, Qiui was also potentially leaking your personal information like name, locations, passwords, phone numbers, and birthdays. Best case scenario there you're getting a targeted sex toy ad on your birthday, worst case they're threatening to exploit you or contact your entire phonebook.
Pen Test Partners thinks that the adult toy vendors have shown a rather blatant disregard for privacy and security in the recent years, and I'm inclined to agree. But to that end it seems like it's just the IoT production process as a whole. The model seems to be make a quick buck, push the product out to retailers, don't support it, go under, start a new company and repeat.
The last one I'm going to talk to you about is going to seem tame compared the recent points but hear my out because it flows well into the little thought exercise we're gonna do.
In August of 2023, BitDifender submitted a vulnerability disclosure to Bosch regarding one of their smart thermometers. What they found was because of the way the circuitry of the thermostat was architected, it was vulnerable to a command injection attack. This thermostat operated with two small boards called microcontrollers. Together, the system would use one of them for Wi-Fi functionality and the other for the brains of the device. At first glance, that seems like a good idea right? If the networked piece is separate from the brain, it can't cause damage?
Well, what bitdefender found was that the device was listening on a port that would mirror any message received on it to the brains of the computer from that Wifi piece. So an attacker could potentially craft the right request over that port to pass it to the brains and execute a command.
The way this could work into an even trickier exploit was that they discovered it was possible to ask for details about a firmware update and then potentially feed in a malicious firmware package pointing to an attacker controlled "update server".
Once that firmware is on, then all aspects of the device are basically yours. Imagine if they wanted to cause some fiscal damage to you by setting the temperature to something uncomfortably high, but tricking the sensor output into being low. That would cause heat to kick in and then constantly try to compensate, resulting in a bigger bill on top of you sweating.
Those little sensors that could be abused though, that's what I wanted to bring in to the end of the episode.
Let's go into th the end of this episode with an exercise based on a conversation I had recently with my friend Alex. This past summer, she asked me "Well how bad could it get?" in relation to "The Internet of Things". I'm gonna run up some of what I can just think of as I'm writing this. Try to make it as close to that discussion I had as possible.
I'm gonna give you a second here to think about it. Knowing what kind of tools might require that little bit of internet connectivity to perform smart actions, what do you think might be at risk?
We've talked in many episodes about the industries that hackers target. They target auto, healthcare, utilities, anything that could disrupt or fetch a hefty ransom out of.
We've already talked cars and we've already talked camera's so I'll leave those out of it. If you want to learn more about the autohacking side of things I encourage you to listen to the first IOT episode where we discussed a team that hacked the onboard computer of what I believe was a jeep, but I can't recall off the top of my head.
I personally keep coming back to healthcare and industrial facilities. The stuff that tends to keep people alive. Let's walkthrough a couple worst case scenarios. Imagine if you will that a smart refrigeration unit keeps the blood at a critical blood bank stored at exactly the right temperature. What if someone was able to change the settings in a similar way to the thermostat from earlier in order to make it unusable, and what if that happened during a time of need?
On the smaller scale, what if there were tools that operated like the ecovacs in terms of how they communicated and ran commands, in order to supply hospital workers with essential support. If it turned out that these were actually just a wide open pivot point to the network, well then now we've got patient data at risk and it becomes a matter that could end up being life and death.
It doesn't necessarily need to be in the hospital either. There are hearing aids, pacemakers, medical pumps, and more that operate on or even in a person to help keep them alive and that area supported by over the air updates and applications. Theoretically, these could each become a target if not secured properly.
And then we get to industrial problems. The very first episode was the Colonial Pipeline hack. The pipeline was shut down for weeks after an old account was used to get into the internal network and disrupt service. Well, the sensors that might operate on the IoT for remote support of these pipelines are also a potential pipeline in to cause similar damage.
Everywhere we look we're expanding the internet of things, and we're lucky that there are some institutions that are looking to secure them. For you at home? Well if there's a couple things I could recommend to you coming out of this podcast I'd say it's this.
Firstly, secure the account tied to your IoT device heavily. It should have 2 factor authentication AND a solid password. Secondly, and this is something we're seeing a lot more of now, operate them on a separate network. The last three routers I've had at home have all had the ability to create a separate and more secure zone for IoT devices that effectively grants them the least amount of access to the network as they need. Look into that and see if maybe you can transfer your devices over to it. It's not going to be easy, hell I can say for certain that it's annoying. But it's worth it.
Happy shopping everyone, spend wisely and do your research before you buy that new smart device, and if you think it's worth it….well I hope you enjoy it. I'm John Kordis and thanks for listening to What the Shell?
Before we go I want to ask if you can do me a favor. Since I'm just coming back the show is going to have a bit of an uphill battle against the algorithm. So if you can rate the show that would be super helpful. Especially all you Spotify listeners, that seems to be my biggest userbase. And if you liked this, maybe share it with someone you think might enjoy it too.
I've rebuilt the shows discord, you can find a link to it in the episode description. That's where I think I'd love to have the most conversation with you, but if you're feeling like going somewhere else you can find me on Instagram at @shell_pod. I'll see you all in a few weeks for the next episode!
References: