Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

New year's resolution for IoT vendors: Start treating LANs as hostile

Lucian Constantin | Jan. 3, 2017
The prevalence of insecure default configurations for embedded devices suggests that vendors don't account for LAN-based threats

In November, researchers from cybersecurity firm Invincea reported a vulnerability that could have allowed hackers to infect Belkin WeMo smart plugs with malware. The flaw was located in a configuration protocol that worked over the local area network and didn't require any authentication.

In 2015, when researchers from vulnerability intelligence firm Rapid7 analyzed nine Internet-connected baby monitors, they found hardcoded credentials in four of them. Those backdoor accounts provided administrative access to the devices over the local network.

The use of hidden accounts, unauthenticated management protocols and hard-coded cryptographic keys or passwords is very common in the IoT and embedded device world. These issues, which amount to insecure default configurations, are frequently found not just in consumer products, but also in enterprise ones, including in firewalls and other security devices.

For example, just earlier this month researchers from SEC Consult warned that 80 models of professional Sony security cameras used primarily by companies and government agencies had backdoor accounts. And this is just one of the many cases reported this year.

These basic weaknesses don't stem from insecure programming practices -- which plenty of vendors are also guilty of -- but from failing to take all types of attacks into consideration when designing their products. As a result they could more easily be eliminated than code-related vulnerabilities, which would require investments in developer training and security reviews.

This kind of insecure configurations could be easily avoided if device manufacturers would include LAN-based attacks in their threat modelling, but most of them still appear to treat local area networks as implicitly trusted environments, believing that attackers only target devices they can reach directly from the Internet.

Unfortunately that hasn't been for many years. Cross-site request forgery (CSRF) attacks that hijack users' browsers when they visit malicious websites and then use them to attack routers and other devices through the local network are now common.

Hackers also frequently infect laptops or phones with malware and then search for other systems on LANs that they can compromise to gain a permanent foothold -- a practice known as lateral movement.

"This 'trust the LAN' mentality is very prevalent," said Craig Young, principal security researcher at Tripwire. "The risk of CSRF or compromised smartphone apps is huge and nobody seems to get it. In many cases, the LAN doesn't need vulnerabilities exposed because the devices don't even require authentication from local devices."

Just a few weeks ago Proofpoint uncovered a large scale malvertizing campaign that hacked people's routers via CSRF. The attackers placed malicious ads onto ad networks used by popular sites and redirected their visitors to an web-based attack toolkit. The end goal was to scan their local networks through their browsers, identify their routers and attempt to compromise them.

 

1  2  3  4  Next Page 

Sign up for Computerworld eNewsletters.