Off-the-shelf smart devices can spy on you, BGU researchers warn

Researchers warn against unchecked usage of devices that allow us to connect to the world, without protection.

By JUDY SIEGEL
Cyber hackers [illustrative] (photo credit: REUTERS)
Cyber hackers [illustrative]
(photo credit: REUTERS)
Ben-Gurion University researchers warn the public to protect themselves from eavesdropping and manipulation by hackers who invade their privacy via off-the-shelf smart devices ranging from baby monitors and cameras to doorbells, air conditioners and robot floor cleaners.
In a paper appearing in Smart Card Research and Advanced Applications, Dr. Yossi Oren – a senior lecturer at BGU’s software and information systems engineering department – and colleagues offer cyber-safety tips for Internet of Things devices – any nonstandard computing device that connects wirelessly to a network and has the ability to transmit data.
In the article, titled “Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices,” the BGU researchers write that “with the growth of the Internet of Things, many insecure embedded devices are entering into our homes and businesses. Some of these web-connected devices lack even basic security protections such as secure password authentication. As a result, thousands of IoT devices have already been infected with malware and enlisted into malicious botnets and many more are left vulnerable to exploitation.”
Oren analyzed the practical security level of 16 popular IoT devices from high-end and low-end manufacturers. “We present several low-cost black-box techniques for reverse engineering these devices, including software- and fault injection-based techniques for bypassing password protection. We use these techniques to recover device firmware and passwords. We also discover several common design flaws which lead to previously unknown vulnerabilities. We demonstrate the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically include these devices. We also discuss how to improve the security of IoT devices without significantly increasing their cost.”
Oren, head of the implementation security and side-channel attacks lab at Cyber@BGU, said the IoT is the network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity that enables these objects to connect and exchange data. Each thing is uniquely identifiable through its embedded computing system but is able to inter-operate within the existing Internet infrastructure.
The researchers were able to easily co-opt the devices. As part of their ongoing research into detecting vulnerabilities of devices and networks expanding in the smart home, they disassembled and reverse-engineered many common devices and quickly uncovered serious security issues.
“IT IS truly frightening how easily a criminal, voyeur or pedophile can take over these devices,” he continued. “Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products.”
“It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand,” adds Omer Shwartz, a doctoral student and member of Oren’s lab. “Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely.”
The BGU researchers discovered that similar products sold under different brands have the same default passwords. Consumers and businesses rarely change device passwords after purchase, so they could be operating infected with malicious code for years. They were also able to log on to entire Wi-Fi networks simply by retrieving the password stored in a device to gain network access.
Oren urges manufacturers to stop using easy, hard-coded passwords; to disable remote access capabilities; and to make it harder to get information from shared ports, such as an audio jack that was proven vulnerable in other studies by Cyber@BGU researchers. “It seems getting IoT products to market at an attractive price is often more important than securing them properly,” he notes.
Among the team’s tips to protect yourself are: Buy IoT devices only from reputable manufacturers and vendors. Avoid used IoT devices, as they could already have malware installed. Research each device online to determine if it has a default password, and if so change it before installation. Use strong passwords with a minimum of 16 letters (as these are hard to crack). Devices shouldn’t share the same passwords. Regularly update software that you will get only from reputable manufacturers. Carefully consider the benefits and risks of connecting a device to the Internet.
“The increase in IoT technology popularity holds many benefits, but this surge of new, innovative and cheap devices reveals complex security and privacy challenges,” concludes Yael Mathov, who also participated in the research. “We hope our findings will hold manufacturers more accountable and help alert both manufacturers and consumers to the dangers inherent in the widespread use of unsecured IoT devices.”