3 min read

Music streaming can leave homes open to hacking

Alexandra GHEORGHE

April 21, 2016

Music streaming can leave homes open to hacking

As far-fetched as it may sound, listening to music might endanger your privacy, Bitdefender research shows. Bitdefender IoT researchers analyzed a Wi-Fi audio receiver and found it susceptible to brute-force attacks and poor authentication practices.

The risk of unsafe protocols

The MUZO Cobblestone works as a Wi-Fi audio receiver or as a standalone music player and can be connected to home routers to allow music streaming from multiple sources – smartphones or the Internet (music streaming services).

The device follows the classic setup routine – it creates a hotspot that, atypically, remains active indefinitely after configuration. Researchers noticed that the access point lack proper authentication – it can be protected by creating a password from the configuration page, but nothing notifies the user about this possibility nor the existence of the configuration page. There is no alert in the Android application.

More importantly, the device comes embedded with a Telnet service used for remote access, to send and receive information. Telnet is an old and simple-to-use network protocol that allows a user connected on a device to log into another device in the same network. It ranks 6th among the 10 most-used services, according to Shodan (March 2015).

telnet

The problem is that the Telnet service remained active in the final version of the product, says George Cabau, malware researcher at Bitdefender. “Telnet should have been used only in the debug stage and closed when the product was released. There’s no point in leaving it active.”

muzo

Researchers tried popular username and password combinations and observed that Telnet was secured with default credentials (admin/admin). Using this information, they connected to the unsecure hotspot and used Telnet to gain root access to MUZO and perform different commands to find a way to access the Wi-Fi network.

Since the audio-receiver is basically connected to two networks (the user internal network and the hotspot), if you access it through Telnet you are inside the network, Cabau said. “We gained root privileges, so grabbing the Wi-Fi username and password was a matter of time.”

Lessons to be learned

A fundamental element in securing an IoT infrastructure concerns device identity and mechanisms to authenticate it. Yet data disclosures show many IoT devices are secured with basic passwords like “1234” or require no passwords at all. This leaves them vulnerable to brute-force attacks and intrusion.

People are accustomed to using the legacy Telnet protocol for connecting to servers. However, it’s no longer considered safe and a better solution to communicate with servers is to use SSH, Cabau added.

After the most recent firmware update, the access point is no longer active after configuration. The Telnet service is still running.

Researchers from Bitdefender Labs have investigated a random selection of IoT devices- – a smart LED, a Wi-Fi enabled switch, a Wi-Fi audio receiver and a smart power adapter – read more here. Note: the scrutinized gadgets have been chosen randomly, based on popularity, product reviews and price affordability.

This article is based on the technical information provided courtesy of Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read