How many security researchers does it take to hack a light bulb?

PCs are no longer the only devices with computing power inside our homes – wireless routers, smart TVs and connected printers are now commonplace and often have substantial data storage and processing capabilities. “A lot of these devices are running computers as powerful as the things people had on their desks ten years ago,” says Alex Chapman, senior security researchers at cyber-security specialists Context.

Those more in the know than the average computer owner will have heard about the growing number of attacks on wireless routers by malicious actors in an attempt to compromise home networks, with EE rushing out a patch a vulnerability on its Brightbox routers earlier this year.

Routers are an obvious target for hackers as they are intrinsically linked to the Internet making it possible for hackers to compromise them from a distance, but less attention has been given to some of the other network-enabled devices cropping up in people’s homes. Once a hacker has access to a person’s home network they have access to any device connected to it, and with an increasingly diverse suite of devices coming online the potential to break down the barrier between the cyber and the physical worlds is getting ever greater.

To demonstrate the concept, Context’s senior managers bought a case of beer and five network-enabled consumer devices from a mixture of start-ups and established vendors, configured them with the recommended security settings, set up a secure wi-fi network and set their best and brightest cyber-security researchers to the task of hacking this mock smart home.

The break-in

While compromising the wi-fi router would be a perfectly sensible approach to getting on the network, the researchers decided to take a more challenging path. The team focused on a set of LIFX lightbulbs, recently in the news for their team-up with Google-owned smart home specialists Nest, which connect to a wi-fi network so they can be controlled with a smartphone application. One bulb is always connected to the network and receives commands from the smart phone application before broadcasting them to the other bulbs over a wireless mesh network based on 6LoWPAN technology.

Using an ATMEL AVR Raven – a £30 USB network interface device that allowed the team to monitor and communicate over the mesh network – combined with network protocol analysing software Wireshark, the researchers were able to observe the largely unencrypted network protocol and simply re-engineer it so that they could craft messages to control the bulbs.

More importantly, they were able to identify the specific packets in which the wi-fi network credentials were transferred when the ‘master’ status switched from one bulb to another. By deciphering the protocol the team was able to request the encrypted credentials, which they were given without any authentication requirements.

To decrypt the credential the researchers had to get their hands on the device’s firmware. As LIFX is a fairly new start-up they had not released a firmware download to the public, so the team had to break open one of the LIFX bulbs to extract the data held on its chip before doing some basic binary reverse engineering to decode the encryption key. More detailed information on the process is available on the Context blog.

“We had to take it apart and attach probes to it and dump the actual firmware into the computer then interpret it,” explains Chapman. “We’re talking a reasonable amount of proficiency. An enthusiastic amateur could do this, but it took a reasonable amount of effort from people who do this day in day out.”

LIFX have been very quick to patch the bug, with a firmware update available now to download from their site that encrypts the mesh network traffic and adds additional security to the process for adding new bulbs. Head of marketing Simon Walker is keen to stress that this was in the face of a fairly complicated attack that delivered a relatively minor exploit – highlighting how seriously the firm took the issue.

Entering the cyber-physical realm

Complicated or not, once the team had the key they were on the network and compromising the rest of the devices became markedly easier. By far the easiest though was the Motorola Blink 1 wi-fi baby monitoring camera, which features a microphone and a camera that can be remote controlled from a smartphone app. The vulnerability the team exploited had been previously documented online, but the company has yet to fix it and failed to respond to a request for comment from E&T at time of publication.

A quick scan of the network allowed the researchers to identify the camera’s IP address, which they then used to try and open the camera’s web interface using a forced browsing attack – simply typing the URL of a restricted page into the web browser. The team tried the generic web interface marker index.html to no avail. They then tried index2.html and gained full access to devices web interface, which has the same functionality as the smartphone app.

“This one was relatively simple, what we actually found when doing our assessment operation pretty much just popped out at us,” says Chapman. “I don’t know if the device makes any claims on security, but you’d expect that sort of device to have security settings enabled as default.”

A D-Link ShareCenter DNS 320L – a network attached storage device designed to allow users to share files across their network and on the Internet – required a more technical approach. The team noticed the device was taking various parameters from web requests from web pages that didn’t require authentication and using them to create system commands. The team were able to use a command injection attack to insert malicious code into the parameters, which were then interpreted by the device and used as system commands, giving them remote root access to the devices' Linux operating system.

In finding the exploit, the team used a lot of the same technology that would be used in normal web app penetration testing, but Chapman concedes the step from finding the vulnerability to actually being able to exploit it was time consuming. As with all the vulnerabilities uncovered Context informed the vendor and D-Link confirmed that they have identified the bug and will shortly be releasing a firmware update that fixes the problem.

By far the most challenging of the devices to crack was a Canon PIXMA MG6450 printer, a task Context’s research director Michael Jordon took on as his own private project. He discovered the printer’s web interface, which requires no authentication to access, lets you trigger a firmware update, but also lets you edit the web proxy settings and the DNS server, allowing a malicious third party to redirect the printer to download doctored firmware that gives them control over the printer’s operating system.

The weak encryption on the firmware meant it was an easy task to reverse engineer it and encrypt a modified copy of the firmware. What was more of a challenge was the fact that the printer runs a proprietary operating system that required some complex firmware reengineering to be able to access the printer’s functionality.

“In the case of the D-Link NAS it runs Linux so once you’re there you’re home and dry as it’s all open source code. In the case of the printer it’s just one big binary program that’s custom to Canon,” explains Jordon. Despite this, the team has managed to gain full control of the little screen on the front of the printer where they have managed to run animations at about 20fps. Jordon has yet to give up his goal of getting classic 90s computer game Doom running on the printer, despite the fact that control over the input buttons continues to elude him.

A statement from Canon thanked Context for bringing the flaw to their attention, saying: “We intend to provide a fix as quickly as is feasible.  All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context.”

The final device the team focussed on was the Karotz ‘smart rabbit’ – a puzzling piece of kit featuring a microphone, camera, speaker, flashing lights and moving ears, as well as a host of downloadable applications that link it up with social networks, email accounts, weather and news feeds and even online radio.

A pair of vulnerabilities were revealed by cyber-security firm Trustwave's SpiderLabs team at the beginning of 2013 that have yet to be fixed, including the ability to run malicious code from a USB stick plugged into the device and the ability to eavesdrop on traffic between the device and apps. Context’s Chapman found three more vulnerabilities, including an authorisation bypass issue that allowed access to most of the Linux-based device’s functionality, but the has failed to return emails from Context or respond to a request for comment from E&T at time of publication.

Implications

So, what does this all mean? In terms of the potential abuses of these devices, compromising the D-Link could give a hacker access to private documents and photos as could control over the printer. The camera could be used to spy on a victim as could the Karotz, not to mention the unnerving possibilities of a flashing, talking rabbit under malicious control.

But considering the lengths the Context team went to, unless you are the sort of person whose main vices are Martinis, high stakes poker games and foiling evil geniuses it’s unlikely those with the ability and the inclination would waste their time on you. As Chapman says, “It is really just an effort versus reward consideration.”

But there are caveats to this.

The majority of the exploits the team revealed are model wide, and as Jordon points out, quite possibly product range wide. In recent research Context looked at the number of vulnerable Canon printers directly connected to the Internet. A scan of the web revealed 32,000 directly connected printers, of which Context sampled 9,000. They found that 6 per cent had firmware with known vulnerabilities, suggesting up to 2,000 vulnerable Canon printers are accessible over the Internet. Similar scans revealed 200 of the Motorola cameras directly connected to the Internet and a massive 14,000 of the D-Link NAS.

For cyber-criminals, the pay-off for hacking someone’s home devices is not obvious when they can better spend their time skimming card details or locking someone’s computer down with ransomware. But the hacker community is anything but predictable and there are plenty of people out there for whom money is not the principle object.

“As more hacks get into the standard tool kits, people who have got the motivation but not the skills will be able to do attacks,” argues Jordon. “If there are a million printers on the Internet, all of the same model, then it’s worth the effort. You could use them to create a botnet for spamming, DDOS attacks or simply to hide your traffic.”

There are clear analogies for these devices in the corporate world too. Many building management systems are based on a mesh network similar to the LIFX set-up using the ZigBee specification, which is very similar to 6LoWPAN. While they are more likely to require user authentication, corporate printers often run on the same firmware as their domestic cousins and are frequently found on an organisation's main network, according to Chapman. He also says the Karotz device is not unlike conferencing equipment such as Polycom’s HDX systems, which exhibitors at last year’s hackers’ conference Black Hat Europe managed to compromise.

Obviously corporate networks are normally protected by enterprise-level security, but Chapman says he often sees devices such as printers with out of the box credentials making them fairly easy to compromise. And he says organisations’ patching of devices like printers, conferencing kit, smart TVs or anything that’s not a standard computer is patchy at best, despite the fact they are vulnerable and valuable targets.

“It could actually be quite a good place to stay hidden from network security,” he adds. “These devices usually don’t have antivirus or anything like that running on them. If any malicious code did live on them it would be quite hard to find it.”

Security blind spot

The main lesson from this episode is the lack of consideration connected device manufacturers are giving to security in their consumer products, evidenced by the basic oversights and the failure to carry out simple, cheap and obvious solutions. As connected devices become more commonplace the trade-off for malicious actors in exploiting vulnerabilities becomes ever more lucrative.

“I think it’s really a symptom of the consumer devices market,” explains Chapman. “From what I’ve seen it looks like manufacturers are only looking to make things work rather than making things work securely. I know that’s a very sweeping statement, but obviously there’s a cost-to-market and a time-to-market that manufacturers need to consider and I don’t think security gets considered in either of those calculations.”

LIFX’s Walker agrees that companies in this market, many of which are cash strapped start-ups, often see the cost of good security as a luxury that can be dispensed with in the name of getting their product to market.

“Not investing time and money in appropriate security measures in the short term will definitely save you money, but in the long term, especially if it’s baked into the hardware of the chips you are using  or firmware that’s not easy to update, it's maybe not such a good idea,” he argues. “I can completely see both sides of the argument, but do you really want to make your device with shortcomings that may come back to bite you, with potential damage to the brand or potential recalls down the line when you realise it’s down to early security features embedded in the design?”

The problem is not one just for individual companies though. As Walker points out, the connected devices market is still in its infancy and consumers are yet to take to the idea of the Internet of Things wholeheartedly. Major security blunders like the one effecting Belkin’s WeMo home automation devices, which prompted the US Computer Emergency Readiness Team to issue a warning that the security flaws could affect more than half a million users, seriously damage consumer trust in the technology.

“If we’re all being hacked, and we’ve all got massive security problems, why is the general user going to have any confidence using these kinds of connected devices?” Walker concludes. “IoT security needs to take the approach, particularly as we become more reliant on this kind of technology, that we make these products just as secure as they were before they became smart.”