Internet of Things Targeted by Campaigns and Attacks of Opportunity
July 19, 2022
It should come as no surprise that an ever-expanding threat landscape brings with it an increased number of attack vectors for threat bad actors’ use and, subsequently, an inevitable increase in exploitation. The Internet of Things (IoT) is a common term used to describe devices that are connected to a network in one manner or another but are not typical network devices such as computers, mobile devices, tablets, or servers. When we refer to IoT, we are talking about many common items integrated into your home or office network that you often do not think about. Do you own a Ring Security system or similar product that connects to your wireless network? How about an Alexa device? Do you have a “smart” refrigerator or television, an iRobot Roomba vacuum perhaps? These devices, and so many more, are all potentially included within the internet of things provided they have the capacity to connect to your network in one way or another.
Whereas a home or office (or your home office) used to be comprised of a server, routers, and computers, that entire attack surface has drastically expanded to include all of these IoT devices. This brings us to the targeting of the internet of things by threat actors both in campaigns and in targets of opportunity. Over the past few years, the exploitation of IoT devices has been on the rise. This is no surprise to individuals familiar with the topic, however, the efforts appear to be more concerted. If you look at the recent Common Vulnerability and Exposures (CVEs), what you will find, more and more, is an increased number of IoT-related CVEs. Thankfully, many of these are being found by the efforts of researchers and blue team actors, but not all.
In the past month, multiple CVEs were reported within a host of IoT devices, and we can look at a few examples. Digital Video Recorder (DVR) systems for closed circuit television systems (CCTV) have been found vulnerable to buffer overflow exploits that can result in lateral movement of malicious data or privilege escalation as seen in CVE-2021-44954. This week, Programmable Logic Controllers (PLCs), which are the computing devices behind industrial manufacturing control, were found lacking in authentication and security measures with easy-to-crack passwords. Subsequently, they have been targeted by malware campaigns to tie them into botnets for distributed denial of service attacks as reported with CVE-2022-33971. And, lest we forget about cameras, infrared security cameras have also been exploited through buffer overflow vulnerabilities (CVE-2022-31209) and have a history of privilege escalation concerns both remotely and through a direct hack of security cameras.
As noted, these incidents are not few and far between. A few weeks back, the Defending the Edge podcast covered the story of security doors being bypassed by tapping into and exploiting vulnerabilities in external control panels. Once inside, a research team was able to escalate privilege and move laterally in the network, going so far as to open and close doors and shut down cameras. It took a good bit of groundwork and some reverse engineering, but it was doable, and in theory, a threat actor could be just as savvy to successfully make such an attack in the wild. As much as this sounds like science fiction or something out of a spy novel, hackers have been exploiting physical security systems, primarily thanks to a lack of segmentation, compartmentalization, and lack of purposely designed security measures for the past two decades in one form or another.
The ever-increasing move to wireless networks and wireless access points is only increasing the attack surface by linking in more devices that may not be properly secured or not tested properly to avoid the same types of pitfalls that traditional computers and servers have been hardened against (or at least attempt to do so) for many years. We add these devices to our networks because they have convenience features. I can turn on my vacuum remotely, adjust my thermostat, or access my security system from anywhere in the world. This leaves us with only a few options. We can throw away technology, move into the woods, and avoid the chance of a bad guy exploiting some device. We could, perhaps, migrate away from IoT devices and lessen our use of these convenience items. Or we could deal with the challenge, and in doing so, accept risk, but employ our best practices to manage that risk.
Cyber security is all about risk assessment and risk management. You will never fully remove risk, but you can manage it. With IoT, especially in a work setting or even a home office, we should start by taking the simple actions. Apply strong passwords even to your seemingly harmless devices. Did you update your WiFi router password? Does your robot vacuum have a complex password? Is the PLC in your manufacturing and assembly line updated with the most recent firmware and has a solid password and maybe an authentication measure in place?
Aside from trying to keep up with manufacture notifications for any vulnerabilities, or skimming CVE lists that nobody outside of our research team is doing, just ask yourself how your device connects, what else is connected on that network, and what security measures are in place to stop someone from using that device as a conduit. Does it have a password? Can it? If not, is it on the same network as your other more sensitive devices, such as your home computer or your work or company office network? Remove the low-hanging fruit and keep your systems up to date and you can still enjoy the convenience of these devices with far less risk.
Calvin Bryant is a Cyber Security and Cyber Threat Intelligence analyst for DefendEdge and the Producer and Host of the Defending the Edge Podcast.