A penetration test on common Internet of Things (IoT) has revealed basic flaws, as well as how many of the devices were open and connected to the internet.
In a demonstration at the Context Oasis event in London, Alex Chapman, senior consultant did tests on network attached storage, a printer, an internet enabled rabbit toy, IP camera and light bulbs, and found exploits in most that would allow them to be remotely accessed and controlled.
Chapman said that all but the Karotz smart rabbit had exploits that allowed him to control and access them. He said: “I didn’t pick out 100 devices and find vulnerabilities in five of them, there were vulnerabilities in five devices. This shows that you need to go through and secure them as this can lead to real issues on the network,” he said. “We are not there with vendors pushing firmware updates, but we are getting there.”
Chapman said that his research found 14,000 internet-connected and open network attached storage systems and around 200 IP cameras and one printer could be accessed through the internet. “There are parallels in the corporate environment, for the underlying technology and operating systems and processes,” he said. “The light bulb shows data failure, the IP camera affects physical security systems, NAS internal file stores while wifi-connected printers also affects network-connected printers. Karotz has the same functionality as video and voice communication software.”
He said that the IoT by any other name “may just be vulnerable embedded devices” that are not sexy, but in your networks. He also said that traditional penetration testing will not touch these devices, typically.
He said: “These run a cut down operating system that most IoT devices run on, but it is not the same as a server system; it is a small enough image to work on a small enough server and the controls do not exist so the cost expectation is lower.”
Chapman told IT Security Guru that he identified the vulnerabilities very quickly, but getting a payload took time.