An E&T investigation together with leading cyber-threat experts reveals how simple it is to hack Internet of Things (IoT) devices hooked up to the internet, exploring the implications of what this could mean for consumers and critical infrastructure in the UK.
Despite today’s seemingly infinite number of internet-connected IOT devices, we are probably still a long way off from reaching the ceiling. Experts anticipate the number of global M2M connections to surge further to 14.6 billion connections by 2022, growing at a pace of 19 per cent a year. With this explosion, however, comes a dark side, one unimaginably tempting to hackers. Little gadgets, however helpful to our daily lives they may be, already are – and will further be in the future – the villains’ weapon of choice.
The ubiquitousness of IoT devices – often dubbed as ‘internet of sh..t’, according to one cyber-security expert speaking off the record at InfoSecurity, the annual cyber-security conference held in London – means hackers could easily encounter an easy way into our systems and private lives, and perhaps even more worryingly, identify potential access to critical infrastructure systems that include everything from a nuclear power plant to water treatment plants. If fatal, it could risk lives, says one expert.
Sectors such as banking in the UK that are already tightly regulated have been investing huge amounts of cash for years into their own cyber-security systems, precisely because they were regulated and came with hefty fines if any gaps were identified, says Anthony Young, director at cyber-security firm Bridewell consulting.
Critical infrastructure systems, water treatment or electricity plants, atomic power plants and anything that runs our daily lives, only started being regulated last year with the emergence of the European NIS Directive (Directive on security of network and information systems).
“If there are any cyber attacks on these systems, it could cause potential loss of life”, he says. Young’s team performed pen-testing (controlled hacking experiment) on a UK wind farm recently. “We could essentially stop all of the turbines just by doing a basic security scan of the system and then break in via a so-called ‘denial-of-service attack’. Turbine after turbine started to shut down. It was incredible”, he says. All his team had to do was to run a scan on the network, it overloaded the system and opened the door to an attack. “We didn’t even have to find a vulnerability. It was so simple. What if we start to overload the turbines? They can do a lot of damage”.
To a hacking professional (as well as to amateurs, as we will see later), IoT devices would introduce by a much larger ‘area of surface’ to attack and expose systems connected to IoT devices.
Media and governments around the world become increasingly alarmed with their own security gaps that the IoT introduces in public infrastructure. The response from the introduction of NIS, which took place at around the same time as the GDPR regulation last year, was mainly subdued, but its merit is indispensable. Sadly, critical infrastructure is not at the level where it should be, says Young. Investment is lacking: “In public organisations, the question is often ‘How can we upgrade the security systems if we can’t even pay people’s wages?’”.
For IoT devices, the weak links are in ‘industrial control systems’, he says. In a lot of these organisations, they were not designed with security in mind. They were designed to do one or two very simple processes in a power station, for instance. The issue is that most of the organisations are keen to connect them to the internet and to systems because want to have a picture of what’s happening with all of these different systems in order to drive efficiency and save money. By connecting them all up, they are opening these tremendous vulnerabilities”. We have not seen the end of it, he explains to E&T.
New laws around the world are either currently being considered or are already in place to prevent companies from selling IoT devices to the government that could introduce security flaws.
E&T investigated how much it takes to crack one’s own IoT device. This includes an IP camera you might buy cheaply off Amazon or eBay, perhaps without understanding that this could cause a problem down the line.
Talking to Keiron Shepherd, a senior security systems engineer at F5 Networks, E&Tassembled a list of the simplest procedures that hackers might use when hacking IoT devices. The idea behind it: the better you understand how someone else might go about hacking your devices, the more vigilant we might become.
With the example of an Internet-connected camera, the first question Shepherd asks is how to define hacking a camera in the first place. “Is it just looking at the camera that you are interested in? Or are you invested in accessing administrative access to the console?
“I could do other things, like to infiltrate it with malware and then the malware could perform other tasks like the recording of your voices and to send it back to the control centre or record your keystrokes or similar things.”
Hacking 101 would not start with a blank sheet. Shepherd says that the ‘nice’ thing about hacking IP cameras or other IoT devices is that there are tons of tools around. With the advancement in the cyber-security space, similar progress was made in the hacker communities. “Hacking is now an industry. There are many, many tools built and put out into open source”.
One of the niftiest tools, hardly known among the general public, is the example of hacking a camera via a website called Shodan.io – it is the Google for hackers, Shepherd says.
Shodan has been criticised as being a potent ally for hackers, although as Shodan presents ‘just’ a port scanner and exposes vulnerable devices and does not use the information it discovers, it is deemed legal – and therefore does not break the Computer Fraud and Abuse Act because “it does not meet the requirement for damage concerning the availability or integrity of the device”, according to Scott Hirschfeld at CT Access.
You can try this at home yourself if you feel concerned or enthusiastic, advises Shepherd. He suggests Webcamxp, one of the most popular webcams and network camera software for Windows, as a good example for throwing a camera model name at the search engine in order to understand its powers (it is a webcam server that is widely used and is white-labelled for other cameras, Shepherd says).
“Were you to try this on Google, ‘Webcamxp’ would perhaps yield information about what WebcamXP is or does. Not so on Shodan. There it prints a map of the globe and reveals all the hotspots where those type of camera appear – down to the very longitude and latitude”.
Keen explorers are provided with the public IP address of those cameras and links so one can connect to their ‘view’, directly. 9 out of 10 times, WebcamXP cameras feature no username or password or they still use the default one, which could amount to simply ‘admin/admin’.
The results are as clear as they are impressive. When you click on them, you receive direct access, some live-streaming at various spots all around the world – no matter if they’re recording in front of a private home or being used to safeguard a yacht.
E&T asked Shodan’s founder, John Matherly, about the opportunity and threats the platform brings to the marketplace. He argues that before Shodan, there was no way for people to realise how many embedded devices there were directly available over the Internet. It would help people to understand what they have connected to the Internet and letting them know if something unusual pops up. As an individual, you can enter your IP address on the main website to see whether you have anything public. “And for all of our paying customers, we offer a simple service to monitor network ranges so they instantly get notified if Shodan discovers something”, he told E&T.
“Shodan can be used for good and bad things”, he admits. Matherly explains that to limit the danger bad users could pose, similar to Google, it has many measures in place to minimise the amount of data that bad people could access.
‘It’s kind of security to obscurity’, Shepherd says. “If you do have a security camera at home, the question is ‘Who is going to want to look at my camera?’ and ‘Who has the details?’ Anyone, as the example shodan.io shows”. Just as Google would index its webpages, Shodan indexes the IP addresses of web-connected cameras. This would be one of the easiest and simples first approaches for hackers, he says. “For me, it is not even a hack to expose web cameras open to the Internet with either no or merely a default password”.
A list of cameras, such as Mobotix, Sony and Swan, could all be found. The next step is to search on Google for possible default username and passwords – the default admin credentials that ship with the device.
To test how vulnerable the cameras he owns himself are, and to test the weakest link of resistance, Shepherd engaged in a self-experiment: “It is something that I did myself”.
Shepherd remembers the Mirai botnet attack – a very large network of bots, primarily composed of home IP cameras. This botnet spread by having a list of default usernames and passwords for these cameras and it would go out and scan the internet and uses tools like Shodan.io – automatically, of course – to find the cameras, to log in via the username and password and then infect as scripted.
The botnet built a network of around 100,000 IP cameras and then the culprits controlling this Mirai botnet sold the offering as a service for hacking attacks. The hackers then had 100,000 notes on the internet, he says. The orchestrators then only needed to inform where it should point to and when it should flush the victim with traffic. It may have cost a couple of bitcoins, Shepherd says. The result: one of the largest data attacks in history, at least at that time, he adds.
The desire to hack his own devices came when Shepherd realised he himself had three cameras safeguarding his home and valuables, perhaps posing a risk: one in his garage looking after his motorbikes and pushbikes, one in the front of the house and so on. Armed with the knowledge of the Mirai botnet attack, “that’s when the idea occurred to me to check on my own cameras”.
The first thing he did was to look up his camera models on Shodan. He tried the usernames and passwords, he changed them and made sure there was no hidden universal password. “They were fine”.
Next, he considered the possibility to check if he could record his camera footage locally in his home on a hard drive. This would have made it safer. The funny thing about securing connected IoT devices is that they are safest when being disconnected or fenced, which takes all purpose and use away: “The way my cameras work is that they record stuff and send it to the cloud. What if I don’t want my footage to be sent to the cloud? I tried and it wouldn’t let me. I thought, there’s got to be away”.
Shepherd found the IP address of his camera in his local network. This would be dead easy, he says. One would only need to run a tool called Nmap (short for “Network Mapper”), a free and open-source utility for network discovery and security auditing. One quick scan was all it took and the tool would list all the IP addresses in his home. He tried to log on locally but in vain.
It was ‘commented out’ – term developers use for describing code that is explanatory, but doesn’t do anything, usually marked between hashtags – so it is only visible when the source code is viewed. Anyone can do that.
If I can find this within five minutes, I am sure that anyone that wants to build a botnet can find this
The sheer simplicity of most attacks is one big problem, he says. Most of them are not much more sophisticated and hackers will typically take the path of least resistance. Smart cameras, considered how they are connected, notably from the big brands, such as Alexa and Google, smartphones, watches and smart TVs, home monitoring, heating cameras, toys, vehicles – the world of connected devices is growing exponentially, he says.
“It could be a large device or a small device, a camera in someone’s house, the process is really similar. All devices that are on the internet need to talk to each other. If you want the most secure device in the world, you would just lock it down, but then you would lose its main use”, he says.
Shodan’s founder, Matherly, is not as convinced that the risk is quite the same. With regards to exploiting these systems, it could be significantly more difficult than hacking an IoT device or webcam “because they are systems that the average developer has never interacted with. IoT products would operate largely using the same technology as servers – Linux, Node.js – whereas infrastructure control-system devices are in an entirely different world that requires specific domain expertise to make sense of”, he said.
Nonetheless, more and more of these industrial control systems would pop up on Shodan. The number on the internet grew by nearly 10 per cent year-on-year since Shodan started to measure, says Matherly. “We’ve provided the data to relevant organisations to help fix the problem, but it’s been tough”.
In March 2019, Shodan extended its service reach and announced the launch of ‘Shodan Monitor’, a new service designed to help organisations keep track of systems connected to the Internet.
Devices talk to each other via opening ports, virtual ports. Web browsers talk to port 80. If you want to talk securely to a web browser, you would ‘talk’ on port 443, a port for https or SSL traffic, Shepherd says. There are lots of other ports available. “The first thing you do to hack them, let’s take my home network as an example, you would use a tool to scan my network and to tell what is out there. The utility will come back with a list of IP addresses. Based on these IP addresses, I would know what ports IOT devices are ‘listening’ on. Straight away, I would get a device that is part of my network and which is listening on port 80. It must be some type of web service, which is brilliant for the sort of task we are after”.
Many people would try to change the port that their devices listen to and assume when they let them listen to other ports, not a standard one, that this would resemble a valid disguise.
Now all one needs to do is to try and connect to it as a web service via a browser, for instance. It would come back, at once, and require a username and password. Then you could look at the source code and discover the username and password and the Apache Services 2.0, for example.
Shepherd explains that as an attacker, one would then Google ‘vulnerabilities in Apache 2.0’, for instance, and access lists of vulnerabilities in the particular device model and version of interest. “Here you could see, for example, that this version should have been patched to version 3 last year’”, he says.
To keep code current and up-to-date would be one of the biggest issues, says Shepherd. Consumers of IoT devices could simply not keep up with maintaining their own code to stay up to the challenge. How could they? They are not experts.
The sheer power and scale can be seen with recent attacks, such as the WannaCry ransomware attack which spread in 2017. It proliferated through those vulnerabilities. One major vulnerability was introduced when Microsoft issued a patch – a software update comprised of code inserted into the code of an executable program – nearly 12 months earlier. “If you are a hospital with 5,000 devices that you would need to upgrade, you are not going to do this in five minutes flat”, Shepherd jokes. Hackers would rely on the fact that users will not update their code as quickly as the vendors would like. “This leaves thousands of devices vulnerable to already well-known vulnerabilities”, he says.
“You just find those devices on the internet, find out what service they are listening to, work out what version of the service and then Google for vulnerabilities. And then you just launch that vulnerability. It’s child’s play”, he says.
Other places where hackers presently search and often find a vein of gold – many times strategically harvesting users’ foolishness – would be code sharing platform Github, the file-sharing company bought by Microsoft in 2018. Developers would unknowingly leave default password and API keys and similar sensitive information in the code and would upload ‘secrets’, for anyone, including hackers, freely visible. Automatic tools, similar to those previously mentioned, would support hackers’ operations – little would be done manually.
The problem is the impact of this evolution. “Let’s face it, who is going to scan their own devices? Who can even be even bothered to check on upgrades? When I asked my father-in-law – who has an internet-connected doorbell that, when it rings, sends a picture to the web – ‘When did you update it?’, he would wonder how to even do that”, Shepherd says.
Technical barriers to performing upgrades would still be very high. It is hard enough for businesses to expect active consumers to do that kind of stuff, let alone unaware consumers, he says. You have devices now that can track peoples’ movement, that can stalk people, that can take pictures of your children, turn off your diabetes alarm, turn off your electric smart meter. The threats as we get more connected “grow exponentially”, he says.
To counteract hackers’ operations, regulation for devices sold to the government would increasingly account for things like built-in vulnerabilities. This alone won’t be enough. “There is a dual responsibility here. One lies with the manufacturer, including secure code and being up to date”. The US governments would increasingly enforce this now, under the Cybersecurity Improvement Act of 2019. If a company wants to sell to the States, a minimum level of security is required. One of them is that the device needs to update automatically and ship with default usernames and passwords. Other precautions are also part of it, but for consumers there remain huge gaps.
Shepherd says that in the UK a proposal was made for a code-of-conduct suggesting that new online products and services should be made secure by default, although this will remain voluntary until 2021.
Being in the shoes of consumers, Shepherd says it is more about ‘what you get is what you paid for’. When looking at an IPTV camera, the question is whether consumers dare (or not afford) to opt for the cheap Chinese clone or the well-respected company that has a service-wrap around the product, where software code remains updated and secure, he says. “If you buy an Alexa home hub, it is going to update itself overnight. The same is the case with cameras”.
Shepherd contacted the company responsible for the camera he bought (the one with the security password and username in the code). “They make cameras for airports. They are a fairly big company. I asked whether they have a responsible disclosure program? I found something, I didn’t think I was supposed to find it. I found also some evidence in some forums. They responded that they did know about the vulnerability that I found, but this was part of their consumer camera arm, which they sold off to a company called Hikvision a year ago”.
“I thought, great, I am now at home with a camera with a default username and password where the controlling stake is owned by the Chinese government”, he says.
The upgrading issue has always been a problem, since the first appearance of IoT devices. The issue now is that the sheer number of devices is so great and users’ ability to handle and update them adequately is diminishing out of all proportion.
Shepherd asks: “How many of your friends had a smart TV five years ago, compared to now? Everybody has one now because no-one wants to settle for a separate box for Netflix, one for Amazon and Sky: they just want a smart TV they do it all, plug it into their Wi-Fi and forget about it. They don’t care about how it upgrades, whether it has access to your microphone or to the camera on your TV. They just want it to work. This is what exacerbated the problem. An influx of technology and people’s conformability”.
The more well-known brands, in order to protect their reputations, would go the extra mile to push updates. The problem lies with the white-label or cheap products, says Shepherd. It is those products that appear benign – the internet-connected fridge, or the cheap camera that you bought off eBay, of a brand you have never heard of, or the smart TV that you bought from a supermarket chain, that may not be part of a bigger brand – that will likely see the frequency of updates dwindle and vulnerabilities, known all over the web, causing mayhem.
There are different strategies to hack public systems, Shepherd explains. Contrary to the previous approach, to hack a system would require to think and act backwards. Hackers would look at which devices are presently available. Again, tools are your friend if you are an attacker. A website called CVE.mitre.org, short for Common Vulnerabilities and Exposures would list all the vulnerabilities on a single publically accessible website that names models and their identification numbers.
You can search in the CVE database by vendor, website or by type. “Let us assume there is a really nice vulnerability for one webcam model. It only affects the webcam version 2.1. Once I know this and that it only affects a certain version, I would then scan through Shodan and find all the web-cameras of this model and version 2.1. The list might amount to a few hundred”.
Boglarka Ronto, head of technical at Commissum, a cyber–security company, explains to E&Tthat because the time-to-market for IoT devices is often really short, vendors aim to get products out as soon as possible in order to be the first to dominate the market. As a result, they often compromise on security.
Shepherd says the next thing an attacker would do is to use the collected set of hundreds of targets connected to the internet that all run on a very specific version and suffer a very specific vulnerability flaw.
“I would use a tool like Metasploit – a free tool which advertises itself as a tool that can ‘help security teams do more than just verify vulnerabilities, manage security assessments and improve security awareness’, where hackers would insert a vulnerability number. A target is selected to be attacked and an IP address is provided. Metasploit will then run the vulnerability against the targets and will offer the attacker control over it. It comes with a hacking distribution called backtrack, or Kali Linux as it is now called, explains Shepherd.
In May 2019, an internet-wide scan revealed almost one million devices vulnerable to BlueKeep, the Windows vulnerability that has the security community on high alert this month, where Metasploit also came into force.
In short, “you would find vulnerabilities first; then you scan the web to garner your targets; then you use a distribution tool to launch attacks. Out of hundreds of addresses initially gathered, a smaller number might actually work”, he says. Then an even smaller proportion might actually be of interest for the hacker, diminishing the number to a few.
However, the attack on the right few could have a detrimental impact. If you want to access a system, what you would hope for is that at least one camera would sit in a large bank, for instance. The images of the camera would all of a sudden become less interesting. Instead, access to the camera would aid with access the server via administrative privileges, because the camera would internally talk to the server. “I now have laterally traversed my attack and I would try to gain access to the server. And once I have that, I could gain access to the Swift banking systems, for example – it is that weakest link, the path of least resistance, hackers are after”, he says.
The first thing hackers do is to test and ask the person in front of a computer to provide credentials themselves, usually via a phishing email. If that does not work, they go after the system itself and access a camera, open to the web, as shown above.
“People are foolish, they hook up to the internet their phones, their watches, they plug them into their laptops to get updates. All those activities increase the ‘attack surface’”, he explains.
A lot of times, they don’t even need to expose a website with an interface where someone can physically log in. One of the popular ways for devices to communicate with each other is via an API channel, where a machine talks to a machine.
Given that at some point we are all expected not to be able to withstand the attraction of IoT devices, already so ubiquitous around the world, Shepherd prescribes first and foremost buying from a reputable brand: “You want a company to invest money into research and development to push updates; the more often, the better”. Avoiding IoT devices that are out-of-date tomorrow is crucial to avoid. Buying from big brands should carry weight in the decision.
Alternatively, you might want to test your own device, in the same way as Shepherd did. If the search on Shodan and Google yields hundreds of results, be cautious: “If you come up with 50 or 100, try another vendor”, he advises.
Not everyone knows about Shodan, Shepherd says. It will help to drag such tools out of the shadows into the mainstream domain. If they are more generally known and used by the public – as opposed to now, where they are largely only known amongst the wrong kind of people – it could present opportunities to subvert a large part of the simpler kind of attacks. “Using Shodan is no harder than using Google. If you want to buy a certain camera, research it on Shodan the same way you would on Google. If it shows you red flags, be critical in your purchase decision”, Shepherd says.
Matherly from Shodan says that he had a few wins in reducing security risks. Most notably the number of Lantronix devices – which in some instances showed larger security gaps – has dropped significantly thanks to Shodan’s research and follow-up work with affected organisations, he says.
Matherly says that it’s true that embedded systems are sometimes used as a pivot into the rest of the local network, as IT probably didn’t expect the coffee machine in the breakroom to be infected with malware.
“I think that is slowly changing, as people realise that a modern refrigerator has more processing power than your desktop from a decade ago. Enterprise organisations have also become better at protecting from internal attacks whereas before it was mostly about keeping an eye on the perimeter”, he says.
His advice to anyone buying an IoT device is simple: “Don’t put it on the public internet. If you need remote access to the webcam, then put it behind a VPN to ensure only trusted sources are able to see it”.
This would apply to all devices that one would like to access remotely. As an individual, it would also be important to make sure not to make any changes to the router and instead use the cloud-streaming app that many webcams offer nowadays.