Rapid7 research into a range of internet protocol (IP) video baby monitors has exposed insecure-by-default problems inherent in the design of devices making up the internet of things (IoT).
While there have been no specific campaigns of mass exploitation of consumer-grade IoT devices to date, a whitepaper on the research said the finding should serve as an advisory on the growing risk that businesses face as their employees accumulate more of these interconnected devices on their home networks.
“This is especially relevant today, as employees increasingly blur the lines between home networks and business networks through routine telecommuting and data storage on cloud resources shared between both contexts,” the whitepaper said.
According to security firm Rapid7, most of the vulnerabilities and exposures identified by the research are trivial to exploit by a reasonably competent attacker, especially in the context of a focused campaign against company officers or other key business personnel.
“If those key personnel are operating IoT devices on networks that are routinely exposed to business assets, a compromise on an otherwise relatively low-value target – like the video baby monitors covered in this paper – can quickly provide a path to compromise of the larger, nominally external, organisational network,” the report said.
The research was conducted by Rapid7 senior security consultant Mark Stanislav in response to reported breaches of internet connected baby monitors to understand the scope of the security risk.
Nine video baby monitors – ranging in price from $55 to $250 from eight different manufacturers – were subjected to in-depth security testing. All of the devices exhibited several common and well-known security issues – as well as ten new vulnerabilities, disclosed to the suppliers prior to publication of the research whitepaper.
Typically, the newly disclosed vulnerabilities are effectively mitigated only by disabling the device and applying a firmware update when one becomes available, the whitepaper said.
Old vulnerabilities that ship with new video baby monitors include a lack of encryption for communications and data storage, the availability of a command-line interface on a network port and backdoor accounts with weak passwords.
The new vulnerabilities identified include backdoor credentials, cross-site scripting, authentication bypass and privilege escalation.
The state of IoT security
According to Stanislav – who previewed the research findings at DEF CON 23 hacker conference in Las Vegas in August 2015 – the findings do not apply only to video baby monitors, but provide a good sense of what consumer IoT security looks like in general.
He told attendees at the conference that any authenticated user of an online service associated with one of the cameras could view camera details for any other user – including video recording details – due to a direct object reference vulnerability.
“The object ID parameter is eight hexadecimal characters, corresponding with the serial number for the device. This small object ID space enables a trivial enumeration attack, where attackers can quickly brute force the object IDs of all cameras,” said Stanislav.
“Whatever the assumptions about the state of security for consumer IoT or connected baby monitors, this provides real evidence that the current state of those two things is not healthy,” he told Computer Weekly.
The research whitepaper notes that other products of direct interest to commercial and industrial consumers and security researchers (commercial security systems, home automation systems, on-premise climate control systems) share many of the insecure design and deployment issues found in video baby monitors.
The cameras that were tested represent a “huge cross section of the entire market for these devices” and based on the evidence, the “state of affairs is really, really bad” for baby monitors and there is “a lot of risk” associated with having one on a home network connected to the internet, said Stanislav.
The second important takeaway, he said, is that while a lot of baby monitor exploitation seen in the past was mainly because there was either a hard-coded backdoor credential or a default password that was never changed, tests showed that three critical vulnerabilities affected every device.
“Depending on the vulnerability in which context, it could impact every single camera at one time from one attacker, from one source. It was not opportunistic, it was attacking a central web service that these cameras all connected back to, affecting all cameras for each supplier,” said Stanislav.
Cost immaterial to security
The research also highlighted the fact that the cost of IoT devices is not related to the security of the device. “Right now, paying more for a device is not a guarantee of better security, because the more you pay, the greater the number of features, which typically means greater technical complexity and therefore greater risk,” he said.
In the light of the fact that there is a growing number of people that work from home, he said it is a security concern that like video baby monitors, many consumer IoT devices are really little Linux servers sitting on the home network, but users have little or no control over them.
“There is often no control over the passwords, what ports are open, and what remote access protocols are enabled, making IoT devices often very soft targets for attackers to break into,” said Stanislav. “For the most part, IoT devices are just inherently vulnerable servers.”
He warned that if criminals can break into IoT devices connected directly to the internet without requiring authentication and their associated web services, it could provide an opportunity to hack into the rest of the home network.
“If you are a remote worker and you are connecting to services and you are connecting to a virtual private network (VPN), that is a very attractive target for a criminal to go after,” said Stanislav.
The whitepaper on the research discusses the friction involved in reporting issues to suppliers in a way that is beneficial to users.
Stanislav notified all suppliers of his findings 60 days ahead of publishing the research findings, but only one responded with an expected timeline for producing fixes for the issues described. One supplier was impossible to contact, having no domain or any other obvious internet presence beyond an Amazon store listing.
While some suppliers did not respond and others questioned the motives for the research, he said some had been very positive. The best response came from Philips – one of only two of the IoT suppliers that had an established security vulnerability disclosure process in place.
“Philips also had the facility to enable us to encrypt all of our communications about the vulnerabilities, and have been great to work with on fixing the issues and understanding the research we are doing to learn as much as they can,” said Stanislav.
Security supply chain
One of the biggest challenges relating to the security of IoT devices, he said, is that the supply chain of IoT is such an important and complex thing, but the topic is not yet getting enough attention.
“There are a number of third-party components, pieces of software and cloud services required for a single IoT device, typically involving four to five different suppliers,” said Stanislav.
“IoT security is difficult, because it is a challenge for any single development team to be expert in mobile security, cloud security, application program interface security and all the other aspects of security related to IoT devices,” he said.
For this reason, Stanislav said Rapid7 recommends that producers of IoT devices and services tap into expert-backed IoT development resources from industry initiatives, such as BuildItSecure.ly and Online Trust Alliance.