May 2017 news roundup

Target is still paying for their 2013 data breach

Remember Target’s data breach from a few years ago? They are still paying for that. Target recently agreed to an $18.5 million settlement with 47 states and the District of Columbia. That NYT article mentions a $202 million total for “legal fees and other costs since the breach” (I tried reading the linked SEC statement about those payments and lost interest immediately). I don’t know if that $202 million includes this $18.5 million amount, but that’s an expensive mistake any way you look at it.

Breaking news: IoT still terrible

New research shows that Internet of Things (IoT) devices can divulge a lot of information about their owners. The researchers found that a passive network tap on a home network allowed them to monitor traffic rates for several IoT devices. Even if they couldn’t read the traffic itself, the researchers were able to infer a lot just by watching DNS queries and changes in the traffic rates of devices like sleep monitors, motion-activated security cameras, and an Amazon Echo. (This technique of traffic analysis has a long history.)

So imagine that your story’s character needs to spy on someone. If she can identify an exploit for the wireless router the target uses for his home network, she could potentially eavesdrop on the traffic going in and out of his home. If the sleep sensor tells her that he’s sleeping, or if a camera shows movement in one part of the house, that might tell her something useful.

BTW, the Amazon Echo inspired what has become my favorite XKCD entry.

Defeating security cameras

This one is a little older, so vendors have at least partially addressed these specific vulnerabilities, but it’s pretty interesting. Someone published exploits against several consumer-grade security cameras. These cameras have a similar setup process:

  • Mount the camera somewhere
  • Download a vendor-supplied app to your phone
  • Use the app to configure the camera via bluetooth (your phone talks directly to the camera)
  • Configure the camera to connect to your home’s wireless network
  • The camera sends image data to the cloud: the camera has no local storage

The researcher found ways to interrupt the operation of several camera models. Sending certain specially-crafted bluetooth messages to the camera would cause it to reboot, taking it briefly offline. Sending another kind of bluetooth message would tell the camera to connect to a different wireless network. If the attacker brings along a wireless access point (WAP) transmitting the same SSID specified in the bluetooth message, the camera will connect to that WAP, rendering the camera ineffective.

This latter exploit provides a more plausible version of the overused trope of splicing into a camera’s feed, recording a few minutes of boring footage, and replaying it endlessly for the security guard. If the camera only sends data to the cloud when it detects motion, then the absence of data implies the absence of motion. The attacker just needs some off-the-shelf hardware, some publicly-available exploit code, and physical proximity (bluetooth range) to the camera.

You can’t trust what’s on TV

A fellow named Rafael Scheel recently published some interesting research about hacking smart TVs. He discovered a way to use $150 worth of radio transmitter equipment to send signals to a smart TV. He combined this with a couple of other exploits (one involving the Adobe Flash player, one involving JavaScript, both supported by the web browser on the TV) to load malware on the TV.

Scheel’s attack in interesting, because it doesn’t require physical access to the TV, it’s virtually undetectable, and it’s very hard to remediate once exploited.

Imagine your book’s character parking her car outside her target’s business or residence, turning on her laptop, attaching a special transmitter, and tricking all the smart TVs in the area to upload an exploit. Then she could do any of several things:

  • use the TV’s wireless connection to attack other targets on the same network

  • join the TVs to a botnet to attack a web site

  • mine some bitcoins

  • capture audio using the TV’s voice control feature

Smart TVs are probably like most Internet of Things (IoT) devices. The manufacturer happily staples on all these features to add value but then falls short in addressing security problems discovered later. Have you ever heard of anyone applying a firmware update to a TV? My TVs are a few years old, making them somewhat antiquated. So maybe TV firmware updates are commonplace, but somehow I doubt it.

Do you have a smart TV? Is it connected to the internet?

Yesterday’s IoT attack on Dyn

Yesterday criminals used an “Internet of Things” (IoT) botnet to attack dyn.com, a provider of name services. The domain name service (DNS) is the network protocol that converts something memorable (like http://www.amazon.com) into the IP address you browser needs (54.239.26.128) in order to connect to the remote server hosting the web page you want to visit. dyn.com is a company that provides these services. And as the InfoSec Handlers point out, lots of big-name web sites including twitter and spotify use dyn.com services and were affected by the attack.

IoT is the name given to consumer devices that you can buy and then attach to the Internet for various reasons (I’ve written about IoT before). Many of these devices have really poor security. They commonly have default and well-known passwords that many users don’t change. So there are lots of Internet-connected devices (easily discoverable with databases like Shodan) with no protection against someone who knows the default passwords.

Brian Krebs has a lot of good detail about yesterday’s attack and how it was the work of IoT devices like video cameras and DVRs controlled by Mirai. Mirai is (publicly available!) malware that scours the Internet looking for devices with default passwords and uses them to attack specific targets. Yesterday someone pointed those devices at dyn.com, and that’s why you had trouble tweeting about why you couldn’t listen to your music.

Manufacturers have sold a lot of this IoT junk, and we’ll be stuck with this sort of thing for years.

Predictably insecure electronic locks

A couple of researchers recently presented their analysis of a dozen or so consumer electronic locks. Some of these locks are the kind that you’d use on a typical door in place of a deadbolt, and some of them work like padlocks. Most of them use bluetooth for wireless operation: you purchase the lock, install an app on your phone, and then use your phone to lock and unlock the device.

Sounds great, right? That’s fewer keys in your purse or pocket or in that not-very-fake-looking rock on your porch. You can enable a temporary code that you send to your plumber, so that he can enter the house while you’re at work. Some devices even have access logs. (Did the plumber come when he said he would? How long did he stay?)

The researchers found that 75% of the devices they studied were vulnerable to different kinds of attacks. In many or most cases, these attacks involved capturing and analyzing the traffic between the smart phone and the lock. The researchers notified the vendors of the affected products, but none of them was interested in doing anything about it. And why would they? At the very best, it would mean an expensive and embarrassing public relations campaign to notify consumers that they had purchased a lock with a defect.

This offers a plausible way for your character to do some breaking-and-entering. Maybe she needs to enter the home or storage building of a gadget-lover. She might need to plant some kind of sniffer device near the lock she wants to defeat and leave it there long enough for someone to use the lock. The FTS4BT bluetooth protocol analyzer and packet sniffer looks like a USB device that she could plug in to a Raspberry Pi. Tricking the lock might be as simple as replaying the signal that the sniffer recorded. If the devices doesn’t have access logs (or if the owner doesn’t bother looking at them), your character could come and go as she pleases from then on.

Oh, and don’t use electronic locks in real life. There’s a reason people have used metal keys to secure their stuff for hundreds of years.

Default passwords

A network router is a device which forwards traffic between two networks. Your computer is on one segment of the internet, and your favorite web site is (likely) on a different segment. There’s at least one network router between you and your favorite web site moving the data packets back and forth.

Routers will typically more-or-less work right out of the box, but they generally need some configuration to do their jobs well (and securely). Routers frequently offer a web interface for this: you connect a computer to the router, go to a particular web address (specified by the product’s documentation), and then configure the device for its particular purpose. For example, if you’re setting up a router for an elementary school, you might configure the router to send all web traffic through some kind of content filter.

More and more devices are like this: you buy a shiny new gizmo, connect it to your network, and it offers some feature you can control with an app on your phone. This is the “Internet of Things” (IoT):

Network-enabled security cameras are another interesting example of this kind of thing. Imagine being able to log on to a camera hundreds of miles away, have it take pictures on demand, and view the images.

These devices typically ship with a default password. And that’s the big problem with these things: they don’t necessarily force you to change the password, and those default passwords are well documented and widely available: they’re in the product documentation that the manufacturer probably puts on their web site for anyone to download.

(Sometimes the manufacturer will try to assign a unique default password to every unit they sell. This is great when they do it right, but sometimes the fail hilariously.)

Shodan and Censys are projects which portscan the internet and make the data available to anyone who wants to look at it. This data often reveals the manufacturer and model number of internet routers. Netgear devices often give the full model number in the remote administration password prompt. And there are web sites (like routerpasswords.com) devoted to making it easy to look up the default password for a particular network device model.

There are two important points to remember here:

  1. If you are writing about a character who wants to compromise a network target, and if she can determine the manufacturer and/or model number of the router protecting her target (either through shodan or by portscanning it herself), she can look up the default password either through something like routerpasswords.com or by downloading product documentation from the manufacturer. If the network pukes at the target haven’t secured their router, your character could add routing table rules allowing her direct access to resources on the internal network.
  2. If you haven’t changed the password on the home router that may be sitting on your desk, now would be a good time to do so. (And unless you REALLY need it, you should disable the remote administration feature which was probably enabled by default.)