How many security researchers does it take to hack a light bulb?

4 July 2014
By Edd Gent
Share |
The Context team targeted the mesh network used by the LIFX bulbs as a way into the mock smart homes Wi-Fi network

The Context team targeted the mesh network used by the LIFX bulbs as a way into the mock smart homes Wi-Fi network

The team used the ATMEL AVR Raven network interface to break into the 6LowPAN mesh network

The team used the ATMEL AVR Raven network interface to break into the 6LowPAN mesh network

The team had to extract the LIFX bulbs' firmware directly from its chip

The team had to extract the LIFX bulbs' firmware directly from its chip

The D-Link network attached storage device was compromised using a command injection attack

The D-Link network attached storage device was compromised using a command injection attack

Cracking the Canon printer was the biggest challenge as it featured a bespoke firmware that needed to be re-engineered

Cracking the Canon printer was the biggest challenge as it featured a bespoke firmware that needed to be re-engineered

The Karotz 'smart rabbit' features a microphone, camera and speaker making it similar to video conferencing equipment

The Karotz 'smart rabbit' features a microphone, camera and speaker making it similar to video conferencing equipment

How many cyber-security researchers does it take to hack a light bulb? About six, according to one firm, which has demonstrated that the manufacturers of the growing number of connected devices in our homes appear to have a security blind spot.

PCs are no longer the only devices with computing power inside our homes – wireless routers, smart TVs and connected printers are now commonplace and often have substantial data storage and processing capabilities. “A lot of these devices are running computers as powerful as the things people had on their desks ten years ago,” says Alex Chapman, senior security researchers at cyber-security specialists Context.

Those more in the know than the average computer owner will have heard about the growing number of attacks on wireless routers by malicious actors in an attempt to compromise home networks, with EE rushing out a patch a vulnerability on its Brightbox routers earlier this year.

Routers are an obvious target for hackers as they are intrinsically linked to the Internet making it possible for hackers to compromise them from a distance, but less attention has been given to some of the other network-enabled devices cropping up in people’s homes. Once a hacker has access to a person’s home network they have access to any device connected to it, and with an increasingly diverse suite of devices coming online the potential to break down the barrier between the cyber and the physical worlds is getting ever greater.

To demonstrate the concept, Context’s senior managers bought a case of beer and five network-enabled consumer devices from a mixture of start-ups and established vendors, configured them with the recommended security settings, set up a secure wi-fi network and set their best and brightest cyber-security researchers to the task of hacking this mock smart home.

The break-in

While compromising the wi-fi router would be a perfectly sensible approach to getting on the network, the researchers decided to take a more challenging path. The team focused on a set of LIFX lightbulbs, recently in the news for their team-up with Google-owned smart home specialists Nest, which connect to a wi-fi network so they can be controlled with a smartphone application. One bulb is always connected to the network and receives commands from the smart phone application before broadcasting them to the other bulbs over a wireless mesh network based on 6LoWPAN technology.

Using an ATMEL AVR Raven – a £30 USB network interface device that allowed the team to monitor and communicate over the mesh network – combined with network protocol analysing software Wireshark, the researchers were able to observe the largely unencrypted network protocol and simply re-engineer it so that they could craft messages to control the bulbs.

More importantly, they were able to identify the specific packets in which the wi-fi network credentials were transferred when the ‘master’ status switched from one bulb to another. By deciphering the protocol the team was able to request the encrypted credentials, which they were given without any authentication requirements.

To decrypt the credential the researchers had to get their hands on the device’s firmware. As LIFX is a fairly new start-up they had not released a firmware download to the public, so the team had to break open one of the LIFX bulbs to extract the data held on its chip before doing some basic binary reverse engineering to decode the encryption key. More detailed information on the process is available on the Context blog.

“We had to take it apart and attach probes to it and dump the actual firmware into the computer then interpret it,” explains Chapman. “We’re talking a reasonable amount of proficiency. An enthusiastic amateur could do this, but it took a reasonable amount of effort from people who do this day in day out.”

LIFX have been very quick to patch the bug, with a firmware update available now to download from their site that encrypts the mesh network traffic and adds additional security to the process for adding new bulbs. Head of marketing Simon Walker is keen to stress that this was in the face of a fairly complicated attack that delivered a relatively minor exploit – highlighting how seriously the firm took the issue.

Entering the cyber-physical realm

Complicated or not, once the team had the key they were on the network and compromising the rest of the devices became markedly easier. By far the easiest though was the Motorola Blink 1 wi-fi baby monitoring camera, which features a microphone and a camera that can be remote controlled from a smartphone app. The vulnerability the team exploited had been previously documented online, but the company has yet to fix it and failed to respond to a request for comment from E&T at time of publication.

A quick scan of the network allowed the researchers to identify the camera’s IP address, which they then used to try and open the camera’s web interface using a forced browsing attack – simply typing the URL of a restricted page into the web browser. The team tried the generic web interface marker index.html to no avail. They then tried index2.html and gained full access to devices web interface, which has the same functionality as the smartphone app.

“This one was relatively simple, what we actually found when doing our assessment operation pretty much just popped out at us,” says Chapman. “I don’t know if the device makes any claims on security, but you’d expect that sort of device to have security settings enabled as default.”

A D-Link ShareCenter DNS 320L – a network attached storage device designed to allow users to share files across their network and on the Internet – required a more technical approach. The team noticed the device was taking various parameters from web requests from web pages that didn’t require authentication and using them to create system commands. The team were able to use a command injection attack to insert malicious code into the parameters, which were then interpreted by the device and used as system commands, giving them remote root access to the devices' Linux operating system.

In finding the exploit, the team used a lot of the same technology that would be used in normal web app penetration testing, but Chapman concedes the step from finding the vulnerability to actually being able to exploit it was time consuming. As with all the vulnerabilities uncovered Context informed the vendor and D-Link confirmed that they have identified the bug and will shortly be releasing a firmware update that fixes the problem.

By far the most challenging of the devices to crack was a Canon PIXMA MG6450 printer, a task Context’s research director Michael Jordon took on as his own private project. He discovered the printer’s web interface, which requires no authentication to access, lets you trigger a firmware update, but also lets you edit the web proxy settings and the DNS server, allowing a malicious third party to redirect the printer to download doctored firmware that gives them control over the printer’s operating system.

The weak encryption on the firmware meant it was an easy task to reverse engineer it and encrypt a modified copy of the firmware. What was more of a challenge was the fact that the printer runs a proprietary operating system that required some complex firmware reengineering to be able to access the printer’s functionality.

“In the case of the D-Link NAS it runs Linux so once you’re there you’re home and dry as it’s all open source code. In the case of the printer it’s just one big binary program that’s custom to Canon,” explains Jordon. Despite this, the team has managed to gain full control of the little screen on the front of the printer where they have managed to run animations at about 20fps. Jordon has yet to give up his goal of getting classic 90s computer game Doom running on the printer, despite the fact that control over the input buttons continues to elude him.

A statement from Canon thanked Context for bringing the flaw to their attention, saying: “We intend to provide a fix as quickly as is feasible.  All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context.”

The final device the team focussed on was the Karotz ‘smart rabbit’ – a puzzling piece of kit featuring a microphone, camera, speaker, flashing lights and moving ears, as well as a host of downloadable applications that link it up with social networks, email accounts, weather and news feeds and even online radio.

A pair of vulnerabilities were revealed by cyber-security firm Trustwave's SpiderLabs team at the beginning of 2013 that have yet to be fixed, including the ability to run malicious code from a USB stick plugged into the device and the ability to eavesdrop on traffic between the device and apps. Context’s Chapman found three more vulnerabilities, including an authorisation bypass issue that allowed access to most of the Linux-based device’s functionality, but the has failed to return emails from Context or respond to a request for comment from E&T at time of publication.

Implications

So, what does this all mean? In terms of the potential abuses of these devices, compromising the D-Link could give a hacker access to private documents and photos as could control over the printer. The camera could be used to spy on a victim as could the Karotz, not to mention the unnerving possibilities of a flashing, talking rabbit under malicious control.

But considering the lengths the Context team went to, unless you are the sort of person whose main vices are Martinis, high stakes poker games and foiling evil geniuses it’s unlikely those with the ability and the inclination would waste their time on you. As Chapman says, “It is really just an effort versus reward consideration.”

But there are caveats to this.

The majority of the exploits the team revealed are model wide, and as Jordon points out, quite possibly product range wide. In recent research Context looked at the number of vulnerable Canon printers directly connected to the Internet. A scan of the web revealed 32,000 directly connected printers, of which Context sampled 9,000. They found that 6 per cent had firmware with known vulnerabilities, suggesting up to 2,000 vulnerable Canon printers are accessible over the Internet. Similar scans revealed 200 of the Motorola cameras directly connected to the Internet and a massive 14,000 of the D-Link NAS.

For cyber-criminals, the pay-off for hacking someone’s home devices is not obvious when they can better spend their time skimming card details or locking someone’s computer down with ransomware. But the hacker community is anything but predictable and there are plenty of people out there for whom money is not the principle object.

“As more hacks get into the standard tool kits, people who have got the motivation but not the skills will be able to do attacks,” argues Jordon. “If there are a million printers on the Internet, all of the same model, then it’s worth the effort. You could use them to create a botnet for spamming, DDOS attacks or simply to hide your traffic.”

There are clear analogies for these devices in the corporate world too. Many building management systems are based on a mesh network similar to the LIFX set-up using the ZigBee specification, which is very similar to 6LoWPAN. While they are more likely to require user authentication, corporate printers often run on the same firmware as their domestic cousins and are frequently found on an organisation's main network, according to Chapman. He also says the Karotz device is not unlike conferencing equipment such as Polycom’s HDX systems, which exhibitors at last year’s hackers’ conference Black Hat Europe managed to compromise.

Obviously corporate networks are normally protected by enterprise-level security, but Chapman says he often sees devices such as printers with out of the box credentials making them fairly easy to compromise. And he says organisations’ patching of devices like printers, conferencing kit, smart TVs or anything that’s not a standard computer is patchy at best, despite the fact they are vulnerable and valuable targets.

“It could actually be quite a good place to stay hidden from network security,” he adds. “These devices usually don’t have antivirus or anything like that running on them. If any malicious code did live on them it would be quite hard to find it.”

Security blind spot

The main lesson from this episode is the lack of consideration connected device manufacturers are giving to security in their consumer products, evidenced by the basic oversights and the failure to carry out simple, cheap and obvious solutions. As connected devices become more commonplace the trade-off for malicious actors in exploiting vulnerabilities becomes ever more lucrative.

“I think it’s really a symptom of the consumer devices market,” explains Chapman. “From what I’ve seen it looks like manufacturers are only looking to make things work rather than making things work securely. I know that’s a very sweeping statement, but obviously there’s a cost-to-market and a time-to-market that manufacturers need to consider and I don’t think security gets considered in either of those calculations.”

LIFX’s Walker agrees that companies in this market, many of which are cash strapped start-ups, often see the cost of good security as a luxury that can be dispensed with in the name of getting their product to market.

“Not investing time and money in appropriate security measures in the short term will definitely save you money, but in the long term, especially if it’s baked into the hardware of the chips you are using  or firmware that’s not easy to update, it's maybe not such a good idea,” he argues. “I can completely see both sides of the argument, but do you really want to make your device with shortcomings that may come back to bite you, with potential damage to the brand or potential recalls down the line when you realise it’s down to early security features embedded in the design?”

The problem is not one just for individual companies though. As Walker points out, the connected devices market is still in its infancy and consumers are yet to take to the idea of the Internet of Things wholeheartedly. Major security blunders like the one effecting Belkin’s WeMo home automation devices, which prompted the US Computer Emergency Readiness Team to issue a warning that the security flaws could affect more than half a million users, seriously damage consumer trust in the technology.

“If we’re all being hacked, and we’ve all got massive security problems, why is the general user going to have any confidence using these kinds of connected devices?” Walker concludes. “IoT security needs to take the approach, particularly as we become more reliant on this kind of technology, that we make these products just as secure as they were before they became smart.”

Share |
Related forum discussions
forum comment To start a discussion topic about this article, please log in or register.    

Latest Issue

E&T cover image 1607

"As the dust settles after the referendum result, we consider what happens next. We also look forward to an international summer of sport."

E&T jobs

  • Chair in Integrated Sensor Technology

    The University of Edinburgh
    • Edinburgh, City of Edinburgh

    The University of Edinburgh is one of the world’s top 20 institutions of higher education.....

    • Recruiter: The University of Edinburgh

    Apply for this job

  • Principal Electrical Engineer - Power

    BAE Systems
    • Bristol, England / Cumbria, Barrow-In-Furness, England
    • Negotiable

    Principal Electrical Engineer - Power Join our Electrical Power team and help design the self-contained generation and distribution system for the Successor submarine - a new generation of submarine designed to carry the UK's independent nuclear deterrent

    • Recruiter: BAE Systems

    Apply for this job

  • Operations Supervisor (Mechanical/Electrical/Instrumentation)

    National Grid
    • England, Cambridgeshire
    • £33000 - £39000 per annum

    Operations Supervisor - (Mechanical/Electrical/Instrumentation) Salary: Circa £33k - 39k dependant on experience + vehicle and great additional benefits (share scheme, pension, potential bonus).Location: Wisbech - Cambridgeshire We currently have an excit

    • Recruiter: National Grid

    Apply for this job

  • Lead NDT Trainer

    BAE Systems
    • England, Lancashire
    • Competitive package

    Would you like to be involved with training UK and international teams in Non Destructive Inspection (NDI) to support the in service fleet (Typhoon Tornado, and Hawk)?

    • Recruiter: BAE Systems

    Apply for this job

  • Systems Design - Emerging Portfolio

    MBDA
    • Bristol
    • Competitive Salary & Benefits

    What?s the opportunity?   There are fantastic opportunities in Systems Design for engineers to work within Future Systems. These are highly visible, fast paced roles, in...

    • Recruiter: MBDA

    Apply for this job

  • Metering Engineer

    Department for Business, Innovation and Skills
    • Teddington, United Kingdom
    • £24,109 - £27,961 plus EO Electronics PE of £8,090.00

    We are now looking for a Metering Engineer to deliver RD’s In-Service Testing (IST) scheme for gas and electricity meters.

    • Recruiter: Department for Business, Innovation and Skills

    Apply for this job

  • Head of Operational Estates

    Premium job

    The Shrewsbury and Telford Hospital NHS Trust
    • Shrewsbury, Shropshire
    • £46,625 to £57,640 per annum

    As an experienced Estates Manager, you will play a key role in helping to shape the future of the Estates service.

    • Recruiter: The Shrewsbury and Telford Hospital NHS Trust

    Apply for this job

  • Engineering Project Manager - Electrical & Automation

    Nestle
    • York, North Yorkshire
    • c£45,000 + Car Allowance + Bonus + Excellent Benefits

    Nestlé Product Technology Centre in York currently has an excellent opportunity for an Engineering Project Manager

    • Recruiter: Nestle

    Apply for this job

  • Assistant Professor (Tenure Track) of Smart Building Solutions

    Premium job

    ETH Zurich
    • Zurich, Canton of Zürich (CH)

    The successful candidate is expected to develop a strong and visible research programme in the area of control and diagnostics of building systems

    • Recruiter: ETH Zurich

    Apply for this job

  • Process Controls Leader

    Premium job

    Phillips 66
    • Humber Refinery, South Killingholme, North Lincolnshire DN40 3DW
    • £60k - 75k plus extensive Compensation and benefits package, dependent upon experience

    Experienced Process Control Leader providing leadership and technical support for Oil Refinery. Extensive Compensation and benefits package.

    • Recruiter: Phillips 66

    Apply for this job

More jobs ▶

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T