IoT, or Internet of Things, means basically any device that can connect to the internet. This is more and more becoming a large list of potential devices, with anything ranging from televisions to coffee machines being able to connect to the internet. This can provide great everyday convenience for the owner since it can often mean that starting a pot of coffee is as simple as pressing a button on an app, but this can also open up the network to potential attack.
Hacking Miscellaneous Devices
IoT devices are often overlooked from a security standpoint. Especially if these devices are not public facing, organizations will often leave them insecure and not put in due diligence to keep them as hardened against attack as possible. Hackers will exploit this fact to use network devices as an easy foothold for an attack. Devices often will have easily exploited software vulnerabilities that remain unpatched. Especially once this becomes public, hackers will jump at the opportunity to attack these devices.
Even devices without glaring software bugs will be targets of attack. Default credentials are extremely common. This can give an attacker an easy foothold into a network and use the compromised device as a first step to further compromise. We regularly see this during our Internal Penetration Tests. Our team at Blue Goat often finds devices such as printers, routers, or even more uncommon ones like x-ray machines that can be compromised and used for further access.
Control of IoT devices can provide massive benefits to attackers. Many devices will contain sensitive information either about the network or the organization. Printers can be a great example. Print jobs can cache information that attackers can strip out, potentially allowing them access to sensitive information that had been sent in print jobs. It is also common to find internal and external address books in printer settings. This information can give an attacker an edge in getting further access in the network since internal emails will often be valid domain accounts.
Likely, the most severe problem is when devices are connected to external services. Staying on the printer example, these devices are commonly connected to services that attackers target. Protocols such as LDAP, SMB, SNMP, and more will often require credentials to access, and these credentials may be stored on the printer. An attacker being able to access these credentials can allow quick lateral movement in the network.
Manipulating Intended Functionality
In many cases, IoT devices can be the intended target, and there is no need to leverage them for further access. Many devices have functionality that attackers will directly target. For example, oftentimes, security cameras will connect to the internet. An attacker can directly target these cameras to see the video feed. The consequences of this can be silly and minor, such as being able to manipulate the temperature of a thermostat, but they can also be extremely severe if a hacker gets access to a sensitive device, such as a medical device.
Sensitive medical devices can be controlled remotely and manipulated by hackers. When this happens, it can potentially be life-threatening. In 2017, hackers targeting St. Jude’s hospital were able to compromise various cardiac devices. With the access that these attackers had, they were then able to disable the devices or change settings on them, potentially modifying life-saving care for patients. Blue Goat is able to test medical devices, along with any other IoT devices to identify any security flaws and work with your team to fix them.
Identifying Vulnerable Devices
Hackers will typically want to go for low-hanging fruit when scouting targets to attack. IoT devices often meet that criteria. Certain sites, such as shodan.io will crawl the internet and look for certain characteristics. This can be anything from identifying a certain open port to finding a certain device. A search for exposed MayGion IP Cameras reveals over 1,000 results. Many of these devices may have default credentials that can be exploited by malicious hackers.
This process can be done to target known vulnerabilities as well. A good example of this is CVE-2021-27954, a heap-based overflow vulnerability targeting Ecobee3 Lite smart thermostats. If a hacker knows how to perform the exploit, they can simply search for any of these devices and instantly have a vulnerable target.
Perform Your IoT Testing with Blue Goat Cyber
Our team of testers is able to help secure your network along with any attached IoT devices. We can also help to test your devices before you push them out as a finished product. Contact us to find out more.