SINT MAARTEN—A researcher only needed 20 minutes last week to explain just how hopelessly broken some of the more popular Internet of Things devices on the market these days are.
Jan Hoersch, an IT security consultant at Securai GmbH, a small pen-testing firm based in Munich, described vulnerabilities that affected off-the-shelf IoT devices such as travel routers and retinal scanners in a talk at Kaspersky Lab’s Security Analyst Summit.
Hoersch started off his talk Tuesday by dissecting a travel router, M5250, made by TP-LINK, warning the device’s admin credentials can be fetched via a SMS. According to the researcher, if an attacker sends a SMS to the router, it sends back data, including login information like the name, SSID, and admin password, in plaintext.
“It doesn’t have to be online, it just has to be switched on,” Hoersch told a crowd Tuesday.
Like the M5250, the majority of the devices Hoersch described in his talk were travel routers.
A router manufactured by StarTech was perhaps the most damning. If accessible over the network or LAN port, an attacker could drop their payload, and spread it, Hoerch claims.
“I brought it to a conference once, we hooked it up, determined telnet was open, typed in root and got a shell,” Hoersch said. “Turns out it has a hardcoded root password that’s root… and you can’t change it.”
“You often find hardcoded passwords,” Hoersch said of his research, “Most of the time they’re just there to be exploited, like a backdoor.”
Another device, an IP-enabled camera made by China-based VStarcam, has easily cracked passwords, Hoersch said.
Hoersch said he reviewed the camera last year and even after an update was pushed was able to get a root shell and passwords from the device. He tried – as many researchers do – to crack passwords via Google and found the exact same password hashes he was trying to crack in the comments section of a write-up from 2014.
“I came to the conclusion that it’s the same exploit in the FTP settings, this is basic command injection, not high level memory corruption stuff, just injection,” Hoersche said, “It’s easy to get the shell, password backup, and login to the camera.”
Another travel router, the Hootoo TripMate, handles firmware updates via bash files. Hoersch told the crowd that if he simply changed some settings, he could upload a bash script anywhere he wanted, unauthenticated, elevate credentials, and trigger a firmware update as root.
Another device, a travel router made by TrendNet -TEW714TRU, also makes command injection easy, Hoersch said. An attacker could inject commands unauthenticated over a LAN port, and combine them with a remote code execution vulnerability in another layer, he said.
“This one is quite bad, because it shows the architectural design of this device is not how it should be, you shouldn’t be able to run commands like that,” Hoersch said, “[TrendNet] fixed it, the vulnerability is still in there but it’s authenticated… it’s a start.”
“Turns out it has a hardcoded root password that’s root… and you can’t change it.”
Tweet
Another device, a retinal scanner – Panasonic’s BM-ET2000, suffers from authentication bypass bug, the researcher claimed. The device has a faulty login system that could have allowed an attacker to redirect themselves in the device as root or admin.
The researcher admitted the device isn’t exactly a consumer device – “Not everyone has a retinal scanner at home attached to their front door, but I had one for some time” Hoersch said. While the device is listed as discontinued on several electronics websites, Hoersch hinted some users could still be vulnerable.
Hoersch had originally planned on discussing vulnerabilities in 10 devices but vendors patched four of the bugs he was going to disclose prior to his talk. Several of the devices, including the TP-Link router and the HooToo router, are readily available on Amazon however, something that leaves the door open for widespread attack adoption, Hoersch warned.
None of the vendors immediately returned a request for comment when reached by Threatpost on Monday.
The researcher, as a finale, planned on delving into 85 bugs he found Western Digital’s MyCloud devices but researchers with Exploitee.rs beat him to the punch when they disclosed the bugs last month. According to Exploitee.rs, many of the devices, NAS boxes, are still vulnerable. The group tweeted last week that even after Western Digital pushed an update for EX2/EX4 and Mirror, “most models are still left vulnerable to our 83 root RCEs.”
Hoersch said the bugs are all interesting but essentially the same.
“You get some parameters and you shove them into a command which gets opened, you can get anywhere,” Hoersch said.
Instead of getting into details around the WD vulnerabilities, Hoersch used the tail end of his talk as a soapbox and stressed how crucial communication between bug hunters and vendors is.
“How do you disclose 85 bugs? It’s not possible for a small company,” Hoersch said, “Every time I try to disclose a bug it takes me 45 minutes to explain it to vendors, and that’s too much time.”
Hoersch also acknowledged that more companies should have bug bounty programs, if nothing else than just as a medium for researchers to get in touch.
“Please let researchers help the dev guys,” Hoersch said, “It’s of the utmost importance that companies do bug bounty programs, even if you don’t give out bounties, just let them have a way to disclose bugs without having to write five emails, it just takes too much time – for some independent researchers it’s not possible.”
“Most of us go full disclosure because it’s too much of a hassle to go to the vendors and that’s not how it should be,” he said.