Vulnerability Management

Researcher hacks network connected devices in own home

The average home has about five network connected devices that are not computers and mobile phones, according to David Jacoby, a security analyst with Kaspersky Lab, who recently decided to undergo an experiment to see if he could hack those devices in his own house.

The answer is a resounding yes, Jacoby indicated in a Thursday post, explaining that the criteria for a successful hack in this research meant obtaining access to a device, or obtaining administrative access to a device, or being able to modify a device.

In Jacoby's home, he found that two popular network-attached storage (NAS) devices contained more than 14 vulnerabilities that could enable remote system command execution under the highest administrative privileges, he wrote. Furthermore, the devices used weak passwords stored in cleartext and configuration files had incorrect permissions.

“In my case, the NAS devices were the most vulnerable,” Jacoby told in a Thursday email correspondence, explaining the devices were running Linux. “An attacker could perform the same malicious things as if it were a normal computer.”

Some of those malicious things include installing a backdoor outside the shared folder, which prevents it from being removed unless the same vulnerability is exploited, as well as accessing all content on the device, installing malware such as ransomware and trojans, and storing illegal software and documents, Jacoby said.

He added that an attacker could also “Install malicious tools from the NAS itself, performing advanced attacks on the network, such as rerouting all traffic via the NAS and capturing sensitive data [such as] credit cards [and] credentials.”

Poking into the DSL router provided by his ISP, Jacoby learned that the device contained inaccessible ‘hidden' functions, some named ‘Web Cameras,' ‘Telephony Expert Configure,' ‘Access Control,' ‘WAN-Sensing,' and ‘Update,' according to the post.

“The hidden features are still a mystery and I'm still working to get access to these features,” Jacoby said. “But for example, it would be scary if someone could enable/reroute Webcam traffic, or reconfigure my SIP server.”

Additionally, Jacoby learned that his expensive smart TV could be vulnerable to a man-in-the-middle (MitM) attack because authentication and encryption is not used when downloading content – such as thumbnails and widgets – from the vendor's servers, according to the post. Further, the TV can be used to load JavaScript files, possibly enabling the reading of local files and discovery of more vulnerabilities.

“I tried to get my potential attack vectors confirmed, but due to the high price of my TV, I could not continue my research since I did not want to break the device,” Jacoby said. “But if my theory is correct, I could do the same types of things that I did with the NAS devices.”

Jacoby said he has been working with certain vendors to address these vulnerabilities, but he explained that it is tough because some are not open to discussion and do not put much security in their products. The problem is compounded, he added, because the lifespan of these products are short, meaning patches for vulnerabilities cease being released.

Some of the best actions people can take to protect themselves is to make sure all security and firmware updates are current, all usernames and passwords are changed, and encryption is used on files in NAS devices, Jacoby wrote in the post.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.