A team of Israeli researchers have discovered that the average IoT devices you buy on store shelves can be compromised within 30 minutes and added to a botnet.

As Internet of Things devices multiply exponentially, it looks like security still isn’t improving. A team of Ben-Gurion University researchers recently went out and bought a bunch of off-the-shelf devices to see how easily they could compromise them—and then use that information to attack other devices like them over the internet. In an interview with TechRepublic, BGU senior lecturer Yossi Oren explained what they found.

You can watch the video interview above or read the transcript below.

Oren said, “So together with my team, we tried to find out how difficult it is to buy an IoT camera and get into its secrets—find out passwords, connections, all sorts of information. What we discovered is that you need about 30 minutes after you unbox the camera, until you can find its default password, and also the services it’s running. And then use this information to add this camera and all the cameras of the same make and model into a botnet, which you control. And it’s very, very concerning.”

“We investigated 16 different devices—baby monitors, doorbells, cameras, temperature sensors, [etc.] And out of these 16 devices, we were able to find the password for 14 of them. So, that’s a good percentage. What we did is we took these cameras apart in our lab and we looked for what is called a debug port. This is a connector, which developers and engineers use when they are building this camera to make sure it’s built properly. And because it’s very expensive to print out a new circuit board once you’re finished developing, all of these cameras actually had these debug ports still in the hardware. Once you connect to there, you have backstage access to the camera. Sometimes, there is a password you need to crack, so we had to do that.”

Oren said, “One device is the later generation version of a very popular thermostat, [It] actually didn’t have this diagnostic port because it’s a very well-selling device. They actually had the engineering time to create a new version without this port and another two devices had a port, but [were] protected by passwords which were unable to crack in one hour. It could be that if we would spend a week on it, we would be able to crack it.

“Right now, devices you are buying today are very, very easy to attack and the problem is that once you attack it once, all of these devices can be attacked remotely. So you only need to do this one time—this process of taking them apart. And one problem, a big problem, with IoT devices when you compare them to computers and phones is that these devices are mostly going to be installed in some corner, in some alley, in some doorway, and not touched for 10 or 20 years. Think of street lights or traffic lights. And this means that you might be still using these devices after their manufacturer has gone out of business and nobody will ever issue firmware updates. You compare this to phones, where you find a vulnerability and the next week later, your phone restarts and voila, it’s patched. So, these devices are going to be here to stay and this means that probably consumers or network providers or something are going to be responsible for keeping these devices secure. This is very concerning based on what consumers have been able to demonstrate so far.”

Oren concluded, “You only need physical access once. Once you buy one copy of a make and model of a camera and you attack it in your lab, you get information which will allow you to attack this make and model anywhere remotely. So out of the devices we surveyed, nine of them were able to be accessed over the network. The access was protected by a password, this password we discovered using our methods. So once you get this password, anywhere in the world, you can access [the device].”

Ben-Gurion University graduate student and researcher Yael Mathov speaks about how easily she and her teammates were able to compromise off-the-shelf IoT devices.
Image: Jason Hiner/TechRepublic

Source: TechRepublic