The BBC filled a suburban home with a variety of smart devices and asked six UK-based security experts to see how many they could infiltrate. The answer was all of them, as the BBC's ‘Click' TV programme showed on Saturday 16 August.
The ‘ethical hackers' involved were James Lyne from Sophos, Felix Ingram, Eleanor Chapman and George Hafiz from NCC Group, and Rowland Johnson and Liam Hagan from Nettitude.
The programme showed them hacking a Blu-Ray DVD player, a webcam and baby monitoring device as well as many others. They also used the default password to hack one WiFi video camera which has sold 120,000 units. The camera had a XSS (cross site scripting) bug and was using insecure web server software that is currently installed in five million devices.
The vulnerability of such ‘Internet of Things' smart devices is not new, but the experts insisted the broadcast – described by Click presenter LJ Rich as showing a “haunted house of hacking horrors” – had a serious purpose.
James Lyne, head of security research at Sophos, said the “ridiculously easy” way smart devices can be subverted was likely to make them targets for criminal attacks in the near future.
He told SCMagazineUK.com after the broadcast: “We really couldn't have anticipated the broad-scale negligent approach to software security that many of these devices display. We were alarmed at the astonishingly basic security failures we found. Essentially they mean that if you can see a device (from a network perspective) you can hack it.”
Lyne said failures included default never-changing credentials, basic web application injection vulnerabilities, UPnP and SOAP configuration without credentials, and old versions of software that are trivial to exploit.
Liam Hagan, a penetration tester at Nettitude, added in an email to SC: “The risk is growing with more smart devices being released on a daily basis. Criminals are already recognising security issues and have actively started to exploit them. The recent SynoLocker ransomware (which targets network-attached storage devices) is an example of this.”
He added: “Very often, IoT devices provide an access point for more commonly known attacks - malware implants, banking Trojans, ransomware, etc.”
NCC Group principal consultant Felix Ingram agreed: “The exploitation of connected devices is fairly limited at the moment,” he told SC, “but the issue is going to lie in the future where the devices are smarter than existing ones or have functionality people don't necessarily associate with them.”
Ingram cited how the NCC Group was able to hijack a smart TV microphone and bug the room. “People don't associate a television with something that listens in. These devices with microphones and cameras – that's where security becomes more important as people are not aware of the risk.”
He advised: “You've got to remember your computers are on these same networks. So if the devices in any way present more vulnerabilities to the network, then it's going to be easier for people to jump on and hit the actual important stuff which is the connected computers.”
For security professionals using such devices in the company, Ingram said: “it is an increase in the attack surface. You could be introducing weak points into the network which could be exploited to get access to higher-value targets.”
Hagan said the BBC experiment also uncovered new vulnerabilities, including the software in a baby listening device which automatically connected itself to the internet without request, forcing a configuration on the local firewall/router.
Lyne said: “The IoT industry has to do better at security. The actual number of vulnerabilities in these devices is not increasing per se (they are already awful) but adoption of these devices is increasing rapidly. Given how extremely easily these devices can be exploited, cyber criminals are likely to be paying close attention, although it will be credit cards, PII or financial data that will really drive interest.”
The BBC show comes in the same week as researchers from France's Eurecom are due to tell the USENIX conference have found vulnerabilities in the firmware controlling hundreds of Internet of Things devices such as printers, routers and security cameras.