F-Secure Senior Security Consultant Harry Sintonen appeared at Disobey last week in Helsinki to teach the audience a lesson in how attackers take advantage of insecure devices. Harry created the demonstration after he discovered several vulnerabilities in a QNAP network attached storage (NAS) device. And in order to verify that the vulnerabilities could be used to “hack” into the device, Harry developed a proof-of-concept exploit (a bit of code that uses vulnerabilities to compromise systems) that allows him to seize control of the vulnerable devices.
I won’t get into the technical details here (you can see Harry’s presentation below for the technical nuances). But basically, Harry’s proof-of-concept (POC) manipulates the device while it tries to update its firmware. This process was an easy target for Harry because of problems with how the device updates (such as not encrypting the update requests).
Harry’s POC allowed him to seize control of the device. He didn’t try to do anything more than that. But an attacker would. After seizing control of the device, an attacker could do things like access stored data, steal passwords, or even execute commands (for example, tell the device to download malware).
Sound serious? Well, the good news is that attackers would need to position themselves to intercept the update process before they can manipulate it.
“The extra step is enough to discourage most opportunistic or low-skilled attackers,” said Janne Kauhanen, a cyber security expert with F-Secure.
But the bad news is that these kinds of problems are running rampant in internet-connected devices. In this case, Harry notified QNAP about these issues in February 2016. However, to the best of Harry’s knowledge, they’ve yet to release a fix (although QNAP claims to be working on one).
Vulnerability Research is Vital if we want to Secure the IoT
This isn’t Harry’s first time finding security issues in products. Last summer, he discovered a vulnerability in Inteno home routers that leave them exposed to hackers.
“It’s ridiculous how insecure the devices we’re sold are,” Janne said at the time. “We and other security companies are finding vulnerabilities in these devices all the time. The firmware used in routers and Internet of Things devices is neglected by manufacturers and their customers – by everyone except hackers, who use the vulnerabilities to hijack Internet traffic, steal information, and spread malware.”
Security researchers conduct these types of investigations because manufacturers and developers typically don’t have the resources available to do it on their own. And considering the global shortage of competent cyber security personnel, this shouldn’t come as a surprise.
That’s why companies (not just security companies) invest in vulnerability research. One way they do this is with “bug bounty” programs. Microsoft, Facebook, and many other well-known IT companies (including F-Secure) offer money to anyone able to uncover vulnerabilities in their products. In fact, a 10-year-old received 10,000 dollars for finding a vulnerability in Instagram last summer.
But sadly, most vulnerabilities go undisclosed until a user stumbles upon them. Or even worse, when an attacker gets caught using them to hack into devices.
IoT devices are spreading. And security issues are spreading with them. So make no mistake: if we’re to avoid the next Mirai outbreak, or something even worse, it’ll be because someone took the time to find and point out security problems before they’re attacked.
[ Image by Tumitu Design | Flickr ]
This is a guest post from F-Secure fellow Kamil Janowski. Have you ever worked on…
August 17, 2017