And the world at large is almost wholly unprepared. J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals, a global information privacy community, notes that the rapid forward march of technology is “exceeding our ability to manage.”
Indeed, most IoT devices have not been built with security in mind. Nowhere is that more clear than within low-level products whose makers never conceived of them as the conduits of sensitive information. As a result, baby monitors, routers and the like are pockmarked with flaws and vulnerabilities that in the wrong hands can be exploited to access personal information, login credentials to corporate networks and other nefarious deeds.
Take, for instance, video baby monitors. These household devices give parents peace of mind by allowing them to check on their babies without squeaking a door open and offer the opportunity for them to share cutie pie moments with relatives a continent away. But, in research that should strike fear in the heart of any new parent – and those professionals concerned about the security implications of the IoT – a security pro at Rapid7 found vulnerabilities in commonplace retail video baby monitors that not only offer prying eyes a look into a family's most intimate moments, but could also “provide a path to compromise of the larger, nominally external, organizational network.”
Mark Stanislav (left), senior security consultant, global services at Rapid7, a global security data and analytics solutions firm with U.S. headquarters in Boston, tells SC Magazine that he put 10 video baby monitors through their paces and found vulnerabilities in all of them. There were two aspects to his research, he says: establishing a checklist that “this is the way I think cameras should work for security purposes” and discovering what the vulnerabilities were and how attackers could break in.
“All the cameras I looked at did not come to close to what I expected,” says Stanislav, who himself is preparing for first-time fatherhood and was dismayed to find that outsiders might be able to intrude on his family.
Among the most troubling of products tested was the iBaby M6 from iBaby Labs, which featured a vulnerability that allowed “any authenticated user to the ibabycloud.com service to view camera details for any other user, including video recording details, due to a direct object reference vulnerability,” the Rapid7 research shows. A small object ID space lets hackers, through a brute-force attack, gain the cameras' object IDs, which are then used to view account details. Through broken links, hackers can then surmise a filename “intended to show available ‘alert' videos that the camera recorded,” the results reveal.
Another monitor, Philips In.Sight, was discovered to have multiple vulnerabilities, among them one that concerns the web service on the backend of the company's cloud service used “to create remote streaming sessions” and which is “vulnerable to reflective and stored XSS.” Another, found in the method the monitor uses to enable remote viewing, allows insecure transport. Administrative privilege, once uncovered, “is available without authentication of any kind to the web scripts available on the device.”
What's more, a live video/audio stream is accessible to the camera if it stays open for up to an hour on an established host/port combination. “There is no blacklist or whitelist restriction on which IP addresses can access these URLs, as revealed in testing,” the research shows.
Not only can privacy be compromised, but a would-be attacker could use some of the monitors to gain access to other assets on the network – and even break into corporate networks.
The trend toward BYOD, using connected devices and working from home have amped up the risks.
If baby monitors are on the suspect list, then just imagine the severe security challenges – and dangerous scenarios – that vulnerabilities in higher level, more critical “devices” might bring.
In July, a pair of security researchers revealed that they were able to exploit a zero-day vulnerability in the UConnect entertainment system of a Jeep Chrysler to remotely control the vehicle's engine, transmission, wheels and brakes, as well as other onboard systems.
Chris Valasek, former director of vehicle security at IOActive, and former Twitter executive Charlie Miller, now both lured away from their positions to join Uber's security team, say the vulnerability was found in late 2013 to 2015 models that have the Uconnect feature. If attackers know the car's IP address, they can gain access to the car through a cellular connection. From there they target a chip in the entertainment system and rewrite firmware to commandeer the computer networks that control the vehicle's physical assets.