In his own home, a researcher hacked two NAS devices, a DSL router provided by his ISP, and his smart TV.
In his own home, a researcher hacked two NAS devices, a DSL router provided by his ISP, and his smart TV.

The average home has about five network connected devices that are not computers and mobile phones, according to David Jacoby, a security analyst with Kaspersky Lab, who recently decided to undergo an experiment to see if he could hack those devices in his own house.

The answer is a resounding yes, Jacoby indicated in a Thursday post, explaining that the criteria for a successful hack in this research meant obtaining access to a device, or obtaining administrative access to a device, or being able to modify a device.

In Jacoby's home, he found that two popular network-attached storage (NAS) devices contained more than 14 vulnerabilities that could enable remote system command execution under the highest administrative privileges, he wrote. Furthermore, the devices used weak passwords stored in cleartext and configuration files had incorrect permissions.

“In my case, the NAS devices were the most vulnerable,” Jacoby told in a Thursday email correspondence, explaining the devices were running Linux. “An attacker could perform the same malicious things as if it were a normal computer.”

Some of those malicious things include installing a backdoor outside the shared folder, which prevents it from being removed unless the same vulnerability is exploited, as well as accessing all content on the device, installing malware such as ransomware and trojans, and storing illegal software and documents, Jacoby said.

He added that an attacker could also “Install malicious tools from the NAS itself, performing advanced attacks on the network, such as rerouting all traffic via the NAS and capturing sensitive data [such as] credit cards [and] credentials.”

Poking into the DSL router provided by his ISP, Jacoby learned that the device contained inaccessible ‘hidden' functions, some named ‘Web Cameras,' ‘Telephony Expert Configure,' ‘Access Control,' ‘WAN-Sensing,' and ‘Update,' according to the post.

“The hidden features are still a mystery and I'm still working to get access to these features,” Jacoby said. “But for example, it would be scary if someone could enable/reroute Webcam traffic, or reconfigure my SIP server.”

Additionally, Jacoby learned that his expensive smart TV could be vulnerable to a man-in-the-middle (MitM) attack because authentication and encryption is not used when downloading content – such as thumbnails and widgets – from the vendor's servers, according to the post. Further, the TV can be used to load JavaScript files, possibly enabling the reading of local files and discovery of more vulnerabilities.