Security researchers have revealed just how insecure IoT networks can be in a report that runs rings around network security in devices including IP cameras and the popular Philips Hue smart lighting system.
However, while specific devices were successfully attacked, the researchers were at pains to point out that the attacks focussed on the network protocols rather than exploiting specific vulnerabilities in the devices themselves.
"When we started analysing the lab setup, the first thing we noticed was that some devices do not even support encrypted protocols for video streaming (SRTP), file transfer (SFTP) and web management (HTTPS), and those devices that support encrypted protocols do not suggest their use by default. The result is well known: many IoT devices are setup and managed with insecure protocols, allowing traffic sniffing and tampering, including sniffing credentials and sensitive information, including patient information in hospitals or video footage," said the Forescout researchers.
Having assumed that an attacker had already gained a foothold on the network (via phishing or similar credential theft) the team were able to craft a series of exploits, most dramatically compromising an IP security camera and forcing it to display a dummy feed in a Hollywood heist-style scenario. The attack on the IP camera focuses on manipulating RTSP commands between the camera and the Network Video Recorder (NVR).
The camera attack consisted of three steps: capturing the network traffic containing camera footage and extracting it for replay, then forcing the camera to end a current session by changing a GET_PARAMETER to a TEARDOWN request, and finally when the NVR tries to establish a new session, capturing the SETUP request and changing the client port to a different one. This allows the attacker to send the replay stream to the NVR, while viewing the captured real stream on the reallocated port.
Elisa Constante, senior director, industrial and OT technology innovation at Forescout told SC Media UK that the findings represent a real threat to both enterprise and home users of IoT devices: "Connected cameras are supposed to provide an additional layer of security to organisations that install them. Yet, as our research has revealed, the exact opposite is often the case. By exploiting unencrypted video streaming protocols and performing a man-in-the-middle attack, we were able to intercept and record real-time camera footage that we subsequently used to replace the live feed with. This effectively gives criminals a virtual invisibility cloak to wreak havoc in the real world: they can perform illicit activities undisturbed, since they are invisible to security officers’ cameras."
In the case of Philips Hue, the researchers were able to not only take control of the lighting system and switch it off, but also reconfigure it to potentially set a public IP for the device, thus enabling remote access via the Internet and using the bridge as a network entry point.
The Philips Hue lights use an API between the devices and the bridge based on RESTful HTTP requests, which the researchers successfully abused by sniffing an authorisation token sent in cleartext with API requests. The tokens "can be copied by an attacker who has access to the network and can sniff traffic. Valid tokens can be seen in any authenticated request, which are of the form http:///api// where is the network address of the Hue bridge and is the API token in cleartext", explained the researchers.
"Organisations that want to avoid falling victim to such an attack should ensure they have a comprehensive device visibility and control platform in place", summarised Constante.