Sky May Be the Limit, but Gravity Is a Drag

If you follow mainstream media reports on the security of smart devices, hacking Internet-of-Things is so easy an amateur could do it. They just look online, and the details are all there. These accounts typically quote security professionals sharing a stage of their research.

“Anyone can do it!” seems to be the message delivered, an affirmation that somehow downplays the effort experts put into finding a path to bypass the defenses of a smart device. For researchers, this is usually where their work ends; but figuring out a solution is the result of technical skills combined with multiple types of thinking (analytical, holistic, linear).

They start with the assumption of a strong password protecting access to the target and look for vulnerabilities in software components (services open for remote access) that would open a door with sufficient privileges to allow harmful actions. If this method fails, they can inspect the firmware for deeper rooted flaws – a more difficult procedure that involves extracting data directly from the hardware, reverse engineering skills and tools.

The firmware image holds the operating system of the gadget and the code that handles how it behaves. It includes at least one high-privilege (root) account that allows unrestricted modification of files and access to every command available. As protection, developers do not add the passwords associated with them in plain text, but in an encrypted form.

In research detailing low-cost techniques for reverse engineering, a team of security experts at Ben Gurion University analyzed the firmware of 16 IoT devices. They were able to recover account passwords for 11 of them as of the paper’s publication date, while four were expected to be recovered within several weeks.

Any weaknesses uncovered by reverse engineering the firmware can be used against all units of the product. When the results become public, others (researchers and hackers alike) can use them without going through the process. Ideally, by the time the details are released for everyone to see, the vendor has already plugged the security holes.

For cybercriminals, accessing the device is just the initial step towards compromising and taking advantage of the gadget. The easiest approach is to target devices that can be accessed using factory logins. Anyone is likely to have their answer on the first page of results. Sometimes it may take longer to find them and wade through forum discussions or social media posts.

Once hackers can log into the IoT equipment, their next step is to place on them code that would execute their commands. Sure, the internet provides ready-made tools, but they do not work “out of the box,” and need to be adjusted for a specific purpose, so the compromised devices serve the new master.

Finding attack toolkits online and default access credentials is well within the skill set of any computer-literate user. The hard part is figuring out how to use them. Of course, you can access an unsecured camera over the web or connect to someone’s thermostat a continent away using the factory access details. But this is nowhere near hacking, in the same way lifting yourself on your toes to peek through someone’s window does not make you a burglar, only a Peeping Tom.

Image credit: Pixabay

Add Comment

Your email address will not be published. Required fields are marked *