Ways to Pinpoint Exploitable IoT Devices
If you take security awareness seriously and try to stay abreast of vulnerability reports that create ripples in the cybercrime arena, you may get the impression that any device is hackable as long as it is connected to the Internet. To top it off, white hats will not stop reiterating that attackers do not have to master super-skills or use top-notch equipment to carry out a compromise like that. Let us do some fact-checking to see if this narrative makes sense.
Innumerable targets waiting to be breached
As per analysts’ insights, there are currently more than 30 billion active IoT devices, and the number may reach 75 billion by 2025. Whereas the figures and predictions vary across the board, this market is growing at an astonishing rate. Most experts claim this steady increase stems from the mass production of cheap Chinese Internet-enabled gadgets.
Whereas IoT evolution is undoubtedly a benign process, many manufacturers neglect to safeguard their products properly. For instance, it is already common knowledge that numerous elements of smart homes have critical firmware vulnerabilities, and their features are not implemented securely enough. Some of these slip-ups affect wide ranges of devices made by multiple different companies. Such flaws mainly result from the following violations of secure software engineering basics:
- The use of hard-coded (hence immutable) admin credentials.
- Large-scale reuse of weak default passwords and PINs for device access.
- Crude access control mechanisms that kick in when a user sends queries to a device settings interface (for example, going straight to /settings.asp without opening /index.html first) or requests images and video feed from a CCTV camera via the /axis-cgi/jpg/image.cgi page.
- Data processing bugs causing a buffer overflow. These weaknesses can allow a remote attacker to run arbitrary code after sending a specially crafted TCP packet.
- Leaving an option for a client device to instruct a web server to leverage legacy communication protocols riddled with vulnerabilities.
- Downgrading security measures to improve the user experience. Some vendors intentionally weaken authentication requirements so that users can customize their devices in a snap.
How to spot IoT devices susceptible to compromise
In an attempt to outpace threat actors, security professionals have created a handful of algorithms to identify vulnerable connected devices proactively. The bad news is that botnet operators have come up with ways to exploit the most effective ones in real-life attacks.
Cybercrooks often boil their dodgy IoT traversal activities down to searching for firmware vulnerabilities, including imperfections unearthed via reverse-engineering of the code. One more common approach is to restrict the scan to devices made by a specific manufacturer. To this end, crooks simply specify the first three octets (eight-bit strings) of the MAC address that uniquely identify the vendor. Yet another tactic is to focus on a firmware version that can be revealed through commonplace response to search engines or rogue search engines.
Regardless of the method, security researchers or attackers can step up the search accuracy by knowing the characteristics that distinguish one device from another. The typical workflow of pinpointing the low-hanging fruit starts with checking a popular vulnerability database (such as Rapid7 or MITRE) for known security gaps in predefined connected devices. It is best to focus on the following loopholes:
- Bugs that were found after the vendor stopped supporting the device and discontinued patch rollouts.
- The latest vulnerabilities that have not been addressed so far. Even if a patch is already available, many users are slow to apply it.
- Weaknesses that are indefinitely present in some device components and cannot be patched. The notorious Spectre and Meltdown bugs exemplify security holes like that.
- Broad-scale vulnerabilities inherent to a series of different device models because of a common web interface or the same hackable communication protocol they use.
Once this stage is completed, you will need to scrutinize the details of the bugs you have found and the IoT entities they affect. Carefully examine the documentation and try to spot distinctive features and strings of crudely written code.
Your goal is to figure out the hallmarks that set the target device apart from similar ones. For instance, it could be using a rare type of open port or returning an unorthodox network response when its firmware version is queried.
The next thing on your to-do list is to craft advanced search queries for Google (known as Google Dorks) and for the following mainstream IoT search engines:
To keep script kiddies from wreaking havoc, I will not list IP addresses of exploitable systems and other shortcuts or queries that make it trivial to identify easy prey. However, these details are a no-brainer to find as long as you diligently analyze a vulnerability description and create several search filters.
On a side note, the Shodan and Censys search engines leverage a few preventive mechanisms to raise the bar for unscrupulous individuals. For instance, they only display a couple of top search results to unregistered users, limit the number of requests per day, and narrow down the scope of available search filters. These techniques work wonders because the most useful search results usually lurk beyond the first hundred entries or so.
Researchers may use special scripts to boost the efficiency of searching for smart appliances based on specific criteria. By the way, the option of running both turnkey and custom scripts is the prerogative of registered users only.
Your next move is to examine the potential targets the search engine has returned. Also, refining your search through additional filters and more queries will not go amiss. The above-mentioned custom scripts could be incredibly helpful in terms of parsing the results.
Establishing a connection with the devices you have spotted is not too complicated. Most of the time, your garden-variety web browser should suffice. To hold sway over CCTV cameras and DVRs remotely, you might have to install a legacy build of Java Runtime Environment (JRE) plus a peculiar video codec. SSH and Telnet clients may also be required to exchange data with the device. Solutions like Cisco Smart Install Client belong in your toolkit as well.
You can now try to collect some stats or set up a remote test connection and tweak some settings. Taking the latter route is risky business, though, because you may get ensnared in a honeypot. Also, keep in mind that law enforcement agencies are increasingly adept at finding breadcrumbs that lead to cybercriminals. That said, it is in your best interest to keep your research from drawing those folks’ attention.
The IoT ecosystem is chock-full of security weaknesses, but not all of them are easy to exploit. Some bugs cannot be weaponized unless you are within the range of the wireless network the vulnerable device uses. A lot of imperfections can be addressed through regular firmware updates with important patches on board. The caveat is that it takes most manufacturers a ton of time to prep and release such updates.
Another thing to consider is that most results returned by Shodan and other search engines for Internet-enabled devices do not reflect easy-to-compromise targets. These services list so many entries because the network response of IoT devices often overlaps with queries run by researchers or wannabe hackers who are looking for exploitable objects.
All in all, you have to go the extra mile conducting scrupulous analysis combined with trial and error to discover sure-shot loopholes in connected things. I wish white hats were one step ahead of malicious actors in this activity. Unfortunately, that is not always the case.
Written By: David Balaban