Our digital identity is now more exposed than ever thanks to the proliferation of smart devices collectively known as the Internet of Things (IoT). While the user may believe their access credentials are securely stored on the home network, the addition of smart ‘things’ onto that self-same network poses a significant risk to that data. In reality, the home network can only ever be as secure as the weakest device housed upon it and believe me there are products out there with a woeful lack of security.
Take, for example, the humble kitchen appliance such as the kettle. An investigation revealed that the unconfigured Smarter iKettle could be forced to surrender its network pre-shared wireless key (PSK). An attacker could disassociate the kettle, making it drop the wireless link, then connect it to the rogue network, before sending two commands that would persuade the device to show the PSK in plain text. Armed with this information the attacker could then connect to the home network and go on to harvest information.
It could be argued that finding those kettles makes this attack unlikely. However, using OSINT (Open Source Intelligence) it’s possible to track where a particular product is. Tools such as the Wigle.net geolocation service, social media platforms which capture users chatting about their new appliances, and directory service sites ensure the attacker can identify the owner and pinpoint the exact location down to the address of these devices.
The iKettle is by no means unique and to be fair Smarter were very proactive in fixing these issues with the iKettle 3.0. There are plenty of other IoT devices out there that also pose a threat to user integrity . Even something as innocuous as a lightbulb can pose. An analysis of the Philips Hue lighting system showed it was passing keys over the API in plaintext which meant the security of the system was only ever going to be as strong as the user’s Wi-Fi key, for instance.
Poor implementation of wireless protocols is another issue. Products, such as the My Friend Cayla and the Teksta talking Toucan children’s toys which use Bluetooth are also trivial to compromise. By extracting the Android package it’s possible to access the database of acceptable language for the doll and to edit this to include some choice language to make her swear. It’s even easier with the Toucan, over which a selected MP3 of your choice can be streamed. Worryingly, as both have a speaker and a microphone they can potentially be used not just to manipulate but to snoop on the user by collecting audio data.
Poor implementation leaves these products wide open to a Man-in-the-Middle attack. There are some obvious security oversights – no unique Bluetooth pairing PIN, no SSL on the app, no SSL and certificate pinning, no database encryption and readable client side code – which mean that anyone could connect to the device and use it to obtain more information on the user’s identity.
Eyes and ears
In addition to audio capture, it’s also possible to capture video data and the fault doesn’t always rest with the product. In many instances, IoT vendors are reliant upon a third party cloud service provider to route traffic and this poses another potential weak point for data leakage. We recently discovered several makes of camera such as the Swann, Flir FX and Lorex brands, whose camera feeds could be accessed and rerouted due to an issue with the cloud provider, Ozvision. While the device manufacturers were quick to address the issues flagged, the tardiness of the cloud provider who was aware of the issue for several months, meant a wide base of camera brands had been unnecessarily exposed.
Finally, there’s the problem of revoking access. Often the factory reset on these devices is ineffective, making the resale of these items risky in terms of revealing user data. There’s also the issue of withdrawing access. It recently transpired that ex partners have been using smart home security devices to snoop on their users. A flaw in the Ring doorbell meant that even though the password had been changed, those with high privilege access could still utilise the device and speak to their partner or spy on them when they left or entered the premises.
Collectively, these examples show that user privacy is indeed being compromised by the IoT. But that it also poses a real threat to user identity. These devices can be used to exploit the network they are housed upon to gain access to the Wi-Fi router and from there go on to harvest user names, passwords and sensitive documents housed on associated machines. Until we begin to enforce tougher regulation that provides a minimum security standard, our data and our digital selves will continue to be at risk.
Author: Ken Munro, Partner at Pen Test Partners