Researcher hacks network connected devices in own home

Share this article:
Researcher hacks network connected devices in own home
In his own home, a researcher hacked two NAS devices, a DSL router provided by his ISP, and his smart TV.

The average home has about five network connected devices that are not computers and mobile phones, according to David Jacoby, a security analyst with Kaspersky Lab, who recently decided to undergo an experiment to see if he could hack those devices in his own house.

The answer is a resounding yes, Jacoby indicated in a Thursday post, explaining that the criteria for a successful hack in this research meant obtaining access to a device, or obtaining administrative access to a device, or being able to modify a device.

In Jacoby's home, he found that two popular network-attached storage (NAS) devices contained more than 14 vulnerabilities that could enable remote system command execution under the highest administrative privileges, he wrote. Furthermore, the devices used weak passwords stored in cleartext and configuration files had incorrect permissions.

“In my case, the NAS devices were the most vulnerable,” Jacoby told SCMagazine.com in a Thursday email correspondence, explaining the devices were running Linux. “An attacker could perform the same malicious things as if it were a normal computer.”

Some of those malicious things include installing a backdoor outside the shared folder, which prevents it from being removed unless the same vulnerability is exploited, as well as accessing all content on the device, installing malware such as ransomware and trojans, and storing illegal software and documents, Jacoby said.

He added that an attacker could also “Install malicious tools from the NAS itself, performing advanced attacks on the network, such as rerouting all traffic via the NAS and capturing sensitive data [such as] credit cards [and] credentials.”

Poking into the DSL router provided by his ISP, Jacoby learned that the device contained inaccessible ‘hidden' functions, some named ‘Web Cameras,' ‘Telephony Expert Configure,' ‘Access Control,' ‘WAN-Sensing,' and ‘Update,' according to the post.

“The hidden features are still a mystery and I'm still working to get access to these features,” Jacoby said. “But for example, it would be scary if someone could enable/reroute Webcam traffic, or reconfigure my SIP server.”

Additionally, Jacoby learned that his expensive smart TV could be vulnerable to a man-in-the-middle (MitM) attack because authentication and encryption is not used when downloading content – such as thumbnails and widgets – from the vendor's servers, according to the post. Further, the TV can be used to load JavaScript files, possibly enabling the reading of local files and discovery of more vulnerabilities.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Popular Science served up Rig Exploit Kit on its website

The monthly science magazine served up malicious code to readers earlier this week and has remedied the issue.

Deloitte releases paper on vetting leaks, avoiding costly hoax

Deloitte releases paper on vetting leaks, avoiding costly ...

The research presents techniques for distinguishing legit data leaks from false claims.

Attack on White House systems breached unclassified networks

The White House experienced a sustained cyberattack on its systems that impacted its network for nearly two weeks.