This Blog was originally posted in Security Response.
Could your baby monitor be used to spy on you? Is your television keeping tabs on your viewing habits? Is it possible for your car to be hacked by malicious attackers? Or could a perfectly innocent looking device like a set-top box or Internet router be used as the gateway to gain access to your home computer?
A growing number of devices are becoming the focus of security threats as the Internet of Things (IoT) becomes a reality. What is the Internet of Things? Essentially, we are moving into an era when it isn’t just computers that are connected to the Internet. Household appliances, security systems, home heating and lighting, and even cars are all becoming Internet-enabled. The grand vision is of a world where almost anything can be connected—hence the Internet of Things.
Exciting new developments are in the offing. A connected home could allow you to logon to your home network before you leave work in the evening to turn on your central heating and your oven. If your alarm goes off while you are out in the evening, you could logon to your home security system from your smartphone, check your security cameras and reset your alarm if there isn’t a problem.
Unfortunately, every new technological development usually comes with a new set of security threats. Most consumers are now very aware that their computer could be targeted with malware. There is also growing awareness that the new generation of smartphones are also vulnerable to attack. However, few people are aware of the threat to other devices.
Linux worm
The Internet of Things may be in its infancy but threats already exist. For example, Symantec investigator Kaoru Hayashi recently discovered a new worm that targeted computers running the Linux operating system. Most people have probably never come across Linux, but it plays a big role in the business world and is widely used to run Web servers and mainframes for example.
The worm, Linux.Darlloz, initially appeared to be nothing out of the ordinary. It utilizes an old vulnerability in scripting language PHP to gain access to a computer; attempts to gain administrative privileges by trying a series of commonly-used usernames and passwords and propagates itself by searching for other computers. The worm leaves a back door on the infected computer, allowing the attacker to issue commands to it.
Since the worm exploits an old vulnerability in PHP, the threat relies on finding computers that haven’t been patched in order to spread. If this was all that the worm did, it would be fairly unremarkable. However, as Kaoru investigated the threat further, he discovered something interesting. The version circulating in the wild was designed to infect only computers running Intel x86 chip architectures, which are usually found on personal computers and servers. Kaoru then discovered versions designed for the ARM, PPC, MIPS and MIPSEL chip architectures hosted on the same server as the original worm. These architectures are mostly found in devices such as home routers, set-top boxes, security cameras and industrial control systems. The attacker was in a position to begin attack these devices at a time of their choosing.
One of the interesting things this worm does is scan for instances of another Linux worm, known as Linux.Aidra. If it finds any files associated with this threat, it attempts to delete them. The worm also attempts to block the communications port used by Linux.Aidra. There is no altruistic motive behind removal of the other worm. The likelihood is that the attacker behind Linux.Darlloz knows that the kinds of devices infected by Linux.Aidra have limited memory and processing power, and does not want to share them with any other piece of malware.
Linux.Aidra, the malware that Linux.Darlloz attempts usurp, also exemplifies this new generation of threats. Like some of the variants of Darlloz discovered by Symantec, Linux.Aidra targets smaller devices, specifically cable and DSL modems. The worm adds them to a botnet, which can be utilized by the attackers to perform distributed denial-of-service (DDoS) attacks. Whoever authored Darlloz obviously believed that Aidra infections were so widespread that it posed a potential threat to their own malware.
What is particularly worrisome about these kinds of threat is that, in many instances, the end-user may have no idea that their device is running an operating system that could be attacked. The software is, by and large, hidden away on the device. Another potential issue is that some vendors don’t supply updates, either because of hardware limitations or outdated technology, such as an inability to run newer versions of the software.
Vulnerable security cameras
This worm is just the latest in a series of incidents highlighting the emerging security threat around the Internet of Things. Earlier this year, the US Federal Trade Commission settled a case against TRENDnet, a firm that makes Internet-enabled security cameras and baby monitors. The FTC said that TRENDnet had marketed the cameras as being secure. “In fact, the cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address,” the FTC said. “As a result of this failure, hundreds of consumers’ private camera feeds were made public on the Internet”.
In January 2012, a blogger made the flaw public and this resulted in people publishing links to the live feeds of nearly 700 of the cameras. “The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives,” the FTC said. As part of the company’s settlement with the FTC, the firm had to beef up the security on its devices and promising not to misrepresent their security in future promotional material.
What is notable about the TRENDnet incident is that the devices targeted were not infected with any form of malware. Their security configuration simply allowed anyone to access them if they knew how. This was not an isolated incident. There is now even a search engine called Shodan that allows people to search for a range of Internet-enabled devices.
Shodan searches for things rather than websites. Aside from security cameras and other home devices, Shodan can also find building heating control systems, water treatment plants, cars, traffic lights, fetal heart monitors and power plant controls. If a device is simply found using Shodan, it does not mean a device is vulnerable. However, services such as Shodan do make it easier for devices to be discovered if attackers know of vulnerabilities in them.
The connected world
Not all concerns relate to security vulnerabilities. Internet-enabled televisions are now quite common and offer a number of useful additional features such as access to video streaming services and Web browsing. Recently, electronics manufacturer LG confirmed that several of its television models track what people watch and send aggregate data back to the company. The company said that it did this in order to customize advertising for its customers. However, an error in the system meant that the television continued to collect data even when the feature was turned off. The company has said a firmware update is being prepared that will correct this problem.
The Internet of Things is still only in its early stages. The number of Internet-enabled devices is beginning to explode. According to Cisco, there are now more than 10 billion connected devices on the planet. Given that the world’s population is just over 7 billion, that means that there are now more connected devices than there are people. Cisco, which has been keeping tabs on the numbers of devices, now believes that the number of connected devices will hit 50 billion by 2020. Interestingly, the company believes that around 50 percent of the growth will occur in the last three years of this decade.
Within the past number of years, we have seen a huge range of connected devices emerge. For example the humble thermostat is now Web-enabled. So too is the light bulb, which can now be controlled with a smartphone. Even the automotive industry is sitting up and paying attention, promising connected vehicles that can receive a stream of real-time information.
What is driving this explosion? Simply put, there is now more “room” on the Internet and devices are becoming cheaper to manufacture. Every device connected to the Internet needs an address in order to communicate with other devices. This is known as an Internet Protocol (IP) address. The number of available addresses under the current system of addresses, Internet Protocol Version 4 (IPv4), has been almost exhausted. A new system, IPv6, is currently being adopted. It can provide a vastly larger number of IP addresses, billions upon billions for every single person on the plant.
Other standards are also evolving. For example, the industry charged with overseeing the Bluetooth standard for wireless communications recently announced the latest version of the technology. The group said that Bluetooth is evolving to take into account the development of the Internet of Things. The new Bluetooth standard will make it easier for devices to find and talk to each other in an increasingly crowded environment. And it will now be easier for Bluetooth-enabled devices to link up with an IPv6-enabled Internet.
In tandem with this increase in network space, Internet-enabled devices are becoming easier to manufacture. Many people may be aware of Moore’s law, the axiom that predicts that that the computing power of processors will double every two years. A corollary is that lower powered chips are becoming cheaper to manufacture all of the time. Other technologies, such as Wifi chipsets, have dropped significantly in price over recent years. All of these factors are combining to mean that it’s becoming easier and cheaper to produce Internet-enabled devices.
Staying protected
- Perform an audit of what devices you own. Just because a device doesn’t possess a screen or a keyboard, doesn’t mean that it isn’t vulnerable to attacks.
- If something you own is connected to your home network, there is a possibility that it accessible over the Internet and thus needs to be secured.
- Pay attention to the security settings on any device you purchase. If it is remotely accessible, disable this feature if it isn’t needed. Change any default passwords to something only you know. Don’t use common or easily guessable passwords such as “123456” or “password”. A long combination of letters, numbers and symbols will generate a strong password.
- Regularly check the manufacturer’s website to see if there are updates to the device’s software. If security vulnerabilities are discovered, manufacturers will often patch them in new updates to the software.
Many of your devices are attached to your home network, which is in turn connected to the Internet. Your router/modem is what stands between your devices and the wider world. Securing it is of paramount importance. Most come equipped with a Firewall, so ensure that it is turned on and properly configured.
