SEATTLE–Like most security researchers, David Jacoby is naturally curious about how things work, and whether they can be made to do things they weren’t meant to do. Sitting at home in Sweden a few months ago, he looked at all of the Web-enabled devices in his house–TV, game console, network storage device–and wondered what kind of exploitable bugs he could find in them.
It didn’t take long before he had his answer. Within 20 minutes, Jacoby had found a remotely exploitable vulnerability in his network-attached storage device that gave him root access. Soon, he’d found another one and then another. It was distressingly easy and he was only a half an hour into the project.
“Most of the research that’s been done before is about futuristic products like refrigerator that’s connected to the network. i thought, what do we actually have in our homes? We do have tvs and most of the modern TVs do have WiFi, Blu-Ray players, gaming consoles, maybe some storage devices. We actually do have quite a lot. it adds up. if I’m pretending to be a bad guy is there anything I can do that’s quite malicious?,” said Jacoby, a security researcher at Kaspersky Lab, who will discuss his research in a talk at the Virus Bulletin conference here Thursday. “I thought I want to do something new. My attack was based on finding new vulnerabilities.”
After having an easy time of it with his NAS device, Jacoby turned his attention to the other devices in his home. His new smart TV was the next victim and Jacoby was able to find several vulnerabilities in that, as well. It was a similar story with his gaming console and even the DSL modem provided by his ISP. The modem had a few hidden administration functions on it, and even though Jacoby had admin privileges on the device to begin with, those services weren’t visible in the admin interface. A little tweaking with the URL solved that, and soon enough the modem stopped working and Jacoby had to request a new one from his ISP.
In all, Jacoby found 22 exploitable vulnerabilities in the handful of devices he looked at in his home. The simplicity of the research and the attack vectors should be a concern, he said. None of what he did was particularly novel or technically difficult, Jacoby said, and perhaps more worrisome, it’s unlikely that most of the devices will get fixes. The response from the vendors when he reported the vulnerabilities was less than enthusiastic and software updates for devices such as TVs and NAS devices aren’t a regular occurrence.
Jacoby said he expects more researchers to turn their attention to non-traditional research as more and more devices in homes and businesses come out of the box with Bluetooth, WiFi and other features that make them easy targets.