{"id":10480,"date":"2015-11-05T09:06:46","date_gmt":"2015-11-05T14:06:46","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=10480"},"modified":"2020-02-26T11:04:00","modified_gmt":"2020-02-26T16:04:00","slug":"surviving-iot","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/surviving-iot\/10480\/","title":{"rendered":"More connected, less secure: how we probed IoT for vulnerabilities"},"content":{"rendered":"<p>A year ago our colleague David Jacoby, a researcher at GReAT, successfully attempted to hack his own home and discovered <a href=\"https:\/\/www.kaspersky.com\/blog\/how-i-hacked-my-home\/5756\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">a lot of curious things<\/a>. David\u2019s experiment inspired many Kaspersky Lab employees around the world. Many employees decided to carry out the same research on their own homes.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023753\/surviving-iot-infographic-EN.png\"><img decoding=\"async\" class=\"aligncenter wp-image-10482 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023753\/surviving-iot-infographic-EN.png\" alt=\"Surviving Internet of threats\" width=\"1280\" height=\"1280\"><\/a><\/p>\n<p>To probe smart things for bugs, we chose several popular Internet of Things devices (IoT), such as Google Chromecast (a USB dongle for video streaming), an <a href=\"https:\/\/en.wikipedia.org\/wiki\/IP_camera\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">IP camera<\/a> and a smart coffee machine and a home security system \u2013 all of which could be controlled by a smartphone or mobile app. The models and devices were chosen at random and was quite vendor agnostic.<\/p>\n<p>Our experiment proved that <em>ALL<\/em> of these objects were hackable or could be easily compromised and used to do a hacker\u2019s bidding. We have reported the vulnerabilities to respective vendors. By now, some of the products were patched. Others remained vulnerable.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">IoT: How I hacked my home <a href=\"http:\/\/t.co\/CCx9eQEbL2\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/CCx9eQEbL2<\/a> via <a href=\"https:\/\/twitter.com\/Securelist?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@Securelist<\/a> by researcher <a href=\"https:\/\/twitter.com\/JacobyDavid?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@JacobyDavid<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/InternetofThings?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#InternetofThings<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/502462821574393857?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 21, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>Chromecast<\/h3>\n<p>The creators of Google Chromecast missed a bug, which could allow a hypothetical hacker to broadcast his own TV \u2018programs\u2019 \u2013 this could be anything from advertisements to scary movies or weird pictures. Once the attacker understands how to get into your device, they can continue to manipulate the experience. This can continue for as long as they want, or until the user buys a new dongle or switches back to cable.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023752\/surviving-iot-chromecast.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-10483 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023752\/surviving-iot-chromecast.jpg\" alt=\"Vulnerable USB dongle\" width=\"800\" height=\"800\"><\/a><\/p>\n<p>If the hacker were armed with a directional antenna, he could interrupt your favorite program at an inopportune time without having to be close by \u2013 making them hard to catch. This vulnerability in Chromecast has been there for ages and still remains unpatched.<\/p>\n<h3>IP Camera<\/h3>\n<p>The IP camera that we decided to test was actually a baby monitor managed via smartphone. By the way, such devices have been <a href=\"http:\/\/www.wired.com\/2013\/10\/baby-monitor-hacking\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">hacked<\/a> as early as 2013 and <a href=\"http:\/\/www.huffingtonpost.co.uk\/2014\/04\/28\/baby-monitor-hacked_n_5226437.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">continue to be exploited<\/a>. The model we chose for our experiment was produced in 2015, yet we managed to find a couple of bugs.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023751\/surviving-iot-ipcam.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-10484 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023751\/surviving-iot-ipcam.jpg\" alt=\"Vulnerable IP camera\" width=\"800\" height=\"800\"><\/a><\/p>\n<p>By tampering with a default baby monitor app, hackers could gain access to email addresses of all of the company\u2019s clients. Since the majority of the camera owners are parents, such a comprehensive database would be a real treat for <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-avoid-phishing\/6145\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">phishers launching a targeted campaign<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Who is to blame for \u201chacked\u201d private cameras? <a href=\"https:\/\/t.co\/WItQAZKAbU\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/WItQAZKAbU<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#security<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/webcams?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#webcams<\/a> <a href=\"http:\/\/t.co\/k7LcRXH6vX\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/k7LcRXH6vX<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/535838818780594177?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 21, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>A couple of other flaws allowed our researchers to gain full control over the camera: this allows for someone to see and hear everything happening in a room, play an arbitrary audio file on the device or get root access and modify the camera\u2019s software, meaning to become the sole ruler of this small \u2018smart\u2019 thing. We reported the vulnerabilities to the vendor and helped to work on respective patches.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Hacked Baby Monitor: Security Experts Warn 'Change Your Password' After Cameras Compromised <a href=\"http:\/\/t.co\/MPHZd2Y5Bc\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/MPHZd2Y5Bc<\/a> via @HuffPostUKTech<\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/460811096719638528?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 28, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>Cup of Joe<\/h3>\n<p>Well, the means of messing with our lives and comfort through Chromecast dongles and baby monitors are relatively straightforward. But what\u2019s wrong with the coffee machine? It happens so that this kitchen device might be a great means of spying on you, letting you home Wi-Fi password slip.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023749\/surviving-iot-wifi-coffee.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-10485 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023749\/surviving-iot-wifi-coffee.jpg\" alt=\"Vulnerable coffee-maker\" width=\"800\" height=\"800\"><\/a><\/p>\n<p>Surprisingly, the problem happened to be very challenging to fix, so the vendor still hasn\u2019t managed to patch the bug. The situation is not that grave, though: the temporary window of opportunity for a hacker lasts mere minutes. However, the problem remains even if you change the Wi-Fi password \u2013 the coffee machine will gladly give away the password over and over again.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">ICYMI: Kaspersky Lab CEO: The Internet of Things means 'Internet of Threats' <a href=\"http:\/\/t.co\/iGeU9N8iqw\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/iGeU9N8iqw<\/a> via <a href=\"https:\/\/twitter.com\/BostonBizNews?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@BostonBizNews<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/576051398049210368?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 12, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>Home Security<\/h3>\n<p>The smart home security system also lost this fight. Curiously our expertise did not help here \u2013 in fact, it was knowledge of basic physics that made it happen. The system employs special sensors to monitor the magnetic field, which is generated by the built-in magnet in the lock. Once a burglar opens a window or a door, this magnetic field is disturbed and the sensor sends the alert all along the chain.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023747\/surviving-iot-cloud-alarm.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-10486 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023747\/surviving-iot-cloud-alarm.jpg\" alt=\"Vulnerable cloud alarm\" width=\"800\" height=\"800\"><\/a><\/p>\n<p>But one can use a simple magnet to preserve the magnetic field even if the door or the window are open, and thus break into the house. This is a problem that is widely acknowledged, since similar sensors are used in many popular security systems. Moreover, a patch would not help to battle the issue \u2013 the very approach should change fundamentally.<\/p>\n<p>Speaking of software, this system was absolutely capable of resisting cyberattacks or burglars who did bad in their physics class in a high school.<\/p>\n<p>The detailed record of our quest for vulnerabilities and interactions with the vendors can be found <a href=\"https:\/\/securelist.com\/analysis\/publications\/72595\/surviving-in-an-iot-enabled-world\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a> on Securelist.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">How will the Internet of Things affect cybersecurity? \u2013 <a href=\"http:\/\/t.co\/fWScmf4QfQ\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/fWScmf4QfQ<\/a> <a href=\"http:\/\/t.co\/sAk1mcZPg5\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/sAk1mcZPg5<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/586174972156108800?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 9, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>To minimize the risks and make your home more secure, please follow our recommendations:<\/p>\n<p>\u2014 When choosing which aspect of your life you are looking to make \u2018smart.\u2019 think along the \u2018security first\u2019 line. Do you have a lot of valuables at home? Then make the home security system redundant, complementing a fancy smartphone-managed anti-burglar system with a traditional wired alarm. Are you going to use a device, which would get access to your family\u2019s private life (like baby monitors)? Just think of simple models, which transmit sound over radio frequencies and not via an IP network.<\/p>\n<p>\u2014 If the above approach does not suit you, pick smart devices accurately. Before going to the store, conduct an online research on the device you are looking for paying particular attention to relevant news about bugs and patches.<\/p>\n<p>\u2014 Don\u2019t buy the latest model. Usually, a brand new gadget comes with bugs yet to be discovered by researchers. Try to choose a device with a proven reputation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since you started to connect all those Things to the Internet, creating IoT, your home is no longer your fortress by design. Now attackers can spy on your kid through a baby monitor or break into your house by fooling your &#8216;smart&#8217; security lock. <\/p>\n","protected":false},"author":40,"featured_media":10481,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2683],"tags":[1027,605,899,658,363,192,97,422,268,1268],"class_list":{"0":"post-10480","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-connected-devices","10":"tag-great","11":"tag-hack","12":"tag-internet-of-things","13":"tag-personal-data","14":"tag-protection","15":"tag-security-2","16":"tag-threats","17":"tag-vulnerabilities","18":"tag-web-cameras"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/surviving-iot\/10480\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/surviving-iot\/5141\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/surviving-iot\/6237\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/surviving-iot\/6352\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/surviving-iot\/7198\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/surviving-iot\/6868\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/surviving-iot\/9671\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/surviving-iot\/5781\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/surviving-iot\/6391\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/surviving-iot\/9465\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/surviving-iot\/9671\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/surviving-iot\/10480\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/surviving-iot\/10480\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/connected-devices\/","name":"connected devices"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10480","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=10480"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10480\/revisions"}],"predecessor-version":[{"id":33590,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10480\/revisions\/33590"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/10481"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=10480"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=10480"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=10480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}