Security researchers have uncovered a pair of serious vulnerabilities in a popular model of DAB and internet radio, which allow attackers to easily compromise the devices. The attack vector is reminiscent of the methods used by the Mirai botnet, and illustrates that significant challenges remain in securing IoT devices.
The vulnerabilities were disclosed by Vulnerability-Lab researcher Benjamin Kunz, and two CVEs have been assigned, CVE-2019-13473 and CVE-2019-13474.
The first covers a weak password vulnerability within an undocumented telnet service (telnetd) of the linux busybox, which is permanently on. The hardcoded credentials can be easily brute forced, according to the researchers, giving an attacker remote root access to the linux box. The same vulnerability is also present in another manufacturer that uses the same type of default manufactured system, for which a patch is being produced.
Secondly, a command execution vulnerability allows attackers to gain access and craft unauthorised commands by targeting web-server communication on port 80 and 8080, which has no mechanism to block unauthorised commands.
The combination of telnet, open ports and weak hardcoded passwords is potentially a dangerous one, as experts were quick to point out.
Fennel Aurora, security adviser at F-Secure told SC Media UK that: "It has been known bad security practice since the late 1990s to continue to use Telnet for any purpose; it is an even older truth that unneeded services should be disabled. This vulnerability highlights the security walking dead that is coming back to life through unregulated IoT devices chasing the lowest prices while ignoring basic security principles learnt more than 20 years ago."
While you can think hacking an internet connected radio is not important, there are two reasons why this should be a concern. Firstly, with a potential of a million devices powerful enough to handle streaming services adding to botnets, case of distributed denial of service attacks against basic internet services or even the internet of entire countries (as happened to Liberia with the first Mirai botnet) are likely to increase. Secondly, a hacked device inside your network is often a stepping stone to attack other more valuable devices and data in your home or corporate network – the 2017 example of a US casino having gigabytes of internal documents stolen via a hacked "smart" aquarium illustrates the risks perfectly."
David Kennefick, product architect at edgescan, tolds SC Media that the wider picture is grave: "IoT malware is typically device agnostic, meaning that it does not care what the targeted device is used for (fridge, camera, router etc), it only cares if it can add it into its network of compromised devices. The majority of these exploitable devices are using BusyBox as their underlying OS. BusyBox is a stripped-down Unix-like OS designed specifically for IoT devices or devices with both low power or limited functionality. The devices were using variants of BusyBox from 2012 and 2014. Some earlier versions of BusyBox don’t even have the capability to update themselves or be updated. The default password for the IoT radio devices from Telestar Digital was ‘password’.
"Malware can be tailored and designed to these particular devices but there is no need to veer from a design that has been successful, so the only approach to combating a malicious actor such as Mirai is to implement security earlier in the device design process and stop using poor default credentials on devices that are designed to be internet facing."
In 2016 the Mirai malware knocked nearly one million Deutsche Telekom (DT) customer routers offline, and exploited weak credentials to amass a botnet that exceeded 2.5 million IP addresses at its peak.