The emerging Internet of Things lags massively behind conventional computers in terms of cyber security with manufacturers failing to implement basic security practices, a researcher has demonstrated.
Speaking at the Mobile World Congress in Barcelona, James Lyne, Global Head of Security at Sophos, showed the audience how to gain access to Internet-connected CCTV cameras using a simple brute force attack that came out of fashion in the computer world more than a decade ago.
Similarly, he said, lights connected to wireless power systems could be hacked without any extra effort on the side of the attacker and even made to explode.
“The big issue here is that manufacturers of these devices are failing to implement what we would regard as basic security,” he said. “If Apple or Microsoft allowed any of this, they would be dragged through the press back and forth. Surprisingly, no one cares about the Internet of Things devices that are making their ways into our homes and into our workplaces at an increasing rate.”
While a PC or Apple computer, a smartphone and tablet, or even an Internet-based service would log out a user if he or she inserted an incorrect password five or ten times, CCTV cameras of multiple manufacturers studied by Lyne allow the a password to be inserted 1,000 times per second by a software-based system.
“This would work against computers back in 2005 but in 2015 no self-respecting manufacturer would allow this to work,” Lyne remarked. “This actually identifies the password in less than a minute which means that we can connect to our mobile camera protected with a password, click on server mode and immediately take control of the device.”
What is worse, he said, the majority of users doesn’t bother to set up a protective password at all. With feeds of such CCTV cameras being freely accessible online to everyone with sufficient computer skills, criminals could find out when properties are being left empty or even spy on cashiers at petrol stations to read credit card details, PINs and till codes. Lyne says video feed from more than half a million such unprotected devices can be found on the Internet.
"Cyber criminals may not be that much interested in those devices yet but that’s only because they haven’t figured out yet how to make money out of them,” Lyne said. “But that will change as more and more of such devices will get online.”
The most disconcerting, the researcher said, is the fact that a possible attacker doesn’t need to possess any advanced digital skills.
“The maturity of the Internet of Things is about where PCs where more than ten years ago,” he said. “While exploiting a modern Windows 8.1 system or even the latest Windows 10 is exceedingly difficult and requires some really advanced skills, to hack a CCTV camera the way I just did is staggeringly easy. You can go to Google, find it, copy and paste it, run it and it just works.”
In the same presentation Lyne showed that it’s not only the nascent Internet of Things but also the omnipresent mobile devices such as smartphones and tablets that are shockingly easy to exploit. Taking advantage of the so called Webview vulnerability, discovered last year, he got control of a target device by infecting it with malicious code through a third-party website. The malware allowed him not only to gain access to all files stored on the victim’s device but also to use its camera and microphone without the victim having a clue.
“This particular vulnerability affects an outdated version of the Android operating system, which is currently the most popular in the market,” he said. “Part of the problem is that most users are not regularly updating their operating system. From statistics we know that only about 0.1 Android users are running Android 5 and a very small number is running 4.4, which have improved security features.”
Various attacks on Android devices could be carried out through applications downloaded even from trusted places such as the Google Playstore. The researchers currently know about more than 1.3 million malicious applications targeting Androind-powered smartphones. Most of the malware even asks the user to grant permission to access the phone’s data including GPS location, messages or camera.
“For some reason, users don’t treat their mobile devices with the same paranoia as they do their computers,” Lyne remarked. “That’s actually quite surprising as their mobile devices have GPS, cameras and microphones and arguably hold some of our most sensitive personal content.”
Part of the problem, Lyne believes, is the fact that the market is driven by innovation and focused on marketable features instead of security and privacy concerns. And although the consumers should be informed and make conscious decisions, it is unrealistic to expect them to have advanced understanding of cyber security, the researcher said.
“I think there should be some degree of software liability particularly as these devices are playing more serious roles in our home,” he said. “The companies should improve software quality just as they did with the traditional technology.”