22 December 2018

5 biggest IoT security failures of 2018

By James Sanders 

With the ubiquity of smartphones, smart speakers, and wirelessly connected devices around the world, design flaws and security vulnerabilities more easily surface. For example, 2018 saw a spectrum of IoT security failures, ranging from problems with vendor implementation, state actors co-opting legitimate products, service providers outright selling data to third parties with negligible security practices, and cascading failures from voice recognition gone wrong.

Many emergency broadcast systems in place today were designed in the 1980s, without the expectation that malicious actors would attempt to commandeer the systems. Though the alert of a ballistic missile threat broadcast in Hawaii on January 13th was the result of human error, the 38 minutes between that broadcasted alert and retraction caused panic and anxiety, particularly as North Korea had been testing missiles in late 2017.


Bastille Security found a vulnerability in emergency broadcast systems produced by Acoustic Technology Inc. (ATI), which allowed for command packets broadcast over the air to be captured, modified, and replayed. ATI deployed a patch to address the issue, though it is unclear if all of the affected systems were patched before the 90-day disclosure window, or if all vulnerable systems were patched. Oddly, ATI's public statement on the vulnerability claimed Bastille's research is "largely theoretical" and "is against the law," though ATI's statement highlights public safety communications systems as being exempt from the statute they cited.
Russian attackers co-opt LoJack implant to gain device control

The popular device security software LoJack-previously known as Computrace-was leveraged by the Russian state-sponsored cyber espionage group "Fancy Bear." LoJack requires computer manufacturers to insert a dropper in the BIOS that allows the software to persist across Windows installations, though Fancy Bear was able to redirect the dropper in Windows to servers they control, which impersonate LoJack's infrastructure. The legitimate nature of LoJack as an anti-theft utility prompted antivirus programs to ignore the attack, making it an attractive target for Fancy Bear.

While the May discovery relied on a change inside Windows, a second attack attributed to Fancy Bear was discovered in September. This attack, called LoJax, patches the UEFI data in the computer, making the attack persist across Windows installations and hard drives. Though this rootkit was discovered in 2018, it appears to have been in operation since at least 2004. According to ESET, LoJax is the first case of a UEFI rootkit recorded as active in the wild.

State actors hide malware in routers, undetected for years

VPNFilter, described by researchers at Cisco Talos as "[possessing] capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration, and device management," was found in routers manufactured by ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, TP-Link, Ubiquiti, UPVEL, and ZTE, as well as NAS devices by QNAP.

Cisco Talos reported finding 500,000 compromised devices across 54 countries, with evidence of the first infection dating back to 2016. The Ukrainian Security Service called out Russia as the originator of the attack. Initial reports indicated that rebooting the router was enough to clear the infection, but further updates found that to not be sufficient, recommending that users reflash the firmware as well. The malware is known to have code to target control systems using SCADA, but the aims of the attackers remain unknown.

Similarly, the Slingshot malware was discovered to be dormant in routers for six years and is capable of information gathering, persistence, and data exfiltration. Seculist researchers pointed out the similarities between Slingshot and the "Chimay Red" exploit published by WikiLeaks as part of the "Vault 7" releases of vulnerabilities, which WikiLeaks claims originated from the CIA.
LocationSmart leaked location data of all cell phones in the US

An unsecured product demo from geolocation data firm LocationSmart allowed any user to look up the location of any mobile phone without needing to supply a password or any other credentials for any phone on the four major US carriers, as well as US Cellular, and the Canadian carriers Bell, Rogers, and Telus. This vulnerability was found after Securus-a company that provides smartphone tracking tools for US law enforcement-was hacked. The backend data provider of that company was LocationSmart, according to a ZDNet report.

To make matters worse, mobile network operators were selling this personally identifiable data to LocationSmart. Verizon was the first to pledge to stop data sharing, with AT&T, Sprint, and T-Mobile following shortly thereafter.
Amazon Echo randomly recorded and sent a Portland couple's conversation

A Portland couple claimed that their Amazon Echo smart speaker recorded a conversation and transmitted it to someone in their contact list-an employee of the couple-in Seattle. The original report is suspect, though Amazon confirmed to CNET that the incident occurred as described.

The model of the Echo Dot photographed in the original port is capable of outputting sound to an external speaker through a 3.5mm audio cable. If a speaker was attached to the Echo Dot, but turned off, the microphone in the Echo Dot unit would still be active, though it would have been impossible for the owners to hear an audio prompt through the speaker. The original report fails to mention this possibility, likewise, the report fails to correctly identify the device as an Amazon Echo.

Despite this, Amazon does have an Alexa problem. New York Times tech columnist Farhad Manjoo wrote in February about an incident in which his Echo Dot wailed "like a child screaming in a horror-movie dream." Amazon also made changes to how Alexa operates in March after a spate of reports indicating that Alexa-powered devices were randomly laughing, seemingly unprompted.

No comments: