Anti-Malware , DDoS , DDoS Attacks

Numerous Flaws Trace to IoT Software Stacks that Aren't Secure by Design Mathew J. Schwartz (euroinfosec) • November 7, 2016     Invincea Labs researchers Joe Tanen (hardware guy) and Scott Tenaglia (software guy). Photo: Mathew Schwartz

As if the internet of things didn't seem secure enough, now we have to worry about apps on our smartphones posing a risk too.

See Also: Avoid Theft of Your Privileged Credentials

That's just one of the takeaways from the discovery of two zero-day vulnerabilities and one hardware-bypass flaw - now patched - in Belkin's WeMo line of home automation products. The flaws, and how to exploit them, were demonstrated Nov. 4 at Black Hat Europe by two researchers from endpoint security software firm Invincea, in a presentation titled: Breaking Bhad: Abusing Belkin Home Automation Devices.

Belkin bills its WeMo apps as being "designed to address simple automation needs without the hassle or expense of whole home automation." Compatible products include everything from "smart" LED light bulbs, power switches and baby video monitors to coffeemakers, slow cookers and heating controls. In November 2015, Belkin reported that 2.5 million devices using their technology were in the market.

But security researchers Joe Tanen and Scott Tenaglia of Invincea Labs found two zero-day flaws involving WeMo products. The first is a SQL injection vulnerability in the SQLite database used by the firmware. The flaw can be remotely exploited to seize control of the device. By exploiting the flaw, remote attackers could then do anything they want with it. That would include infecting the devices with malware, such as Mirai, to turn the device into a distributed denial-of-service attack launch pad.

The second zero-day vulnerability involves a code injection flaw - via cross-site scripting - in the WeMo app for Android. The researchers say they were not able to get a related attack against the iOS app to succeed.

Using the WeMo app, users can create rules, for example, to turn on lights at a specific time of day or when the app - via the smartphone's GPS functionality - registers that they're a quarter-mile from home. But the researchers found that they were able to suborn a function called FriendlyName. It allows users to rename their WeMo devices, for example, to label power switches for lamps as "kitchen" or "living room," to make them easier to manage via the WeMo app.

By changing a FriendlyName name to a malicious string of text, however, the researchers found that they could use Belkin WeMo devices to hack into any Android apps to which the devices connect. But when accessing the apps, the researchers gained access to everything that the app - by default - is able to access, including photos and GPS coordinates. Users can disable those defaults, but the researchers question how many would have done so.

Belkin has confirmed the flaws and says it's grateful to Invincea for flagging them.

"Working with researchers like them is an important part of our security process," spokeswoman Leah Polk tells Information Security Media Group. "We always do our best to address any potential vulnerabilities as soon as we possibly can to ensure our devices remain safe to use."

The researchers could inject arbitrary code by changing WeMo devices names.

Second-Order Effects

Having insecure IoT devices that can be turned into DDoS launch pads or spam cannons is one problem, and it's unfortunately quite common, as the Mirai malware has highlighted. But having an IoT-related app be vulnerable to attack by IoT devices is a "second-order effect," Tenaglia says. "Why is it the case that I can do something to your device to turn it into a GPS tracker? Do we want to choose between a secure phone and a remote-controlled crockpot?"

The repercussions are extensive. As Tenaglia said during his talk, after demonstrating how the flaw could be exploited: "I've just turned your phone into a GPS tracker because your IoT's app was kind of insecure."

The researchers say that the apps could likely also be hacked by attackers on the same local network, for example, at a coffee shop if attackers were using a WeMo emulation app on their laptop, although that has yet to be tested. "All the communication with WeMo devices are unencrypted and unauthenticated when you're on the local network," Tenaglia says.

During their Black Hat Europe talk, the researchers also demonstrated a hardware authentication bypass technique that they discovered, although they noted that it requires having physical access to the device. Even so, enterprising cybercriminals could buy a WeMo device, exploit it to gain root access, then use the hacked device to more easily test any exploits they build.

"It's a lot easier to hack a white box than a black box," Tenan says.

Belkin: Better Than Many

The Invincea researchers say that when it comes to IoT device manufacturers, Belkin takes security relatively seriously. They note that after submitting a private vulnerability report to Belkin on Aug. 11, Belkin verified the zero-day flaws the same day, noting, too, that they existed in even newer versions of the firmware than those to which the researchers had access. The company then released an updated version of its Android app to patch the code injection vulnerability on Sept. 1 and on Nov. 1 released updated firmware to fix the other zero-day flaw.

Belkin says that it remediated the flaws as quickly as possible, to block related attack vectors, but believes that these flaws posed a low real-world risk to users. "We don't believe these latest vulnerabilities presented a major threat, largely because they were both addressed before the researcher's findings were released, and the actual likelihood of someone being able to execute this in a real-life situation is extremely small," Polk says. "It would essentially require someone to target a WeMo user that is running old firmware and then get access to their local area network at the same time in order to run malicious code."

One ongoing IoT challenge is that many manufacturers don't release firmware updates for devices, or don't get them into users' hands.

Belkin declined to detail how many WeMo-compatible devices are in the market or share a breakdown by firmware version. But the company says users do receive update notifications. "When we launch new firmware, a notification pops up when you open the WeMo app to alert users to a new firmware and prompt them to install," Polk says.

The Internet of Hackable Things

Invincea's Tenaglia, speaking after the demonstration, says another endemic IoT security problem is that device manufacturers tend to build on open source, Linux-based software stacks because they're free. One challenge, however, is that many organizations fail to consider how these software stacks - and not just their own, custom-developed app code - might need to be locked down.

"So we need to start thinking about the entire software stack that IoT is based on not just the stuff that we write - I think that's an important takeaway from this exercise," Tenaglia says.

Using such software securely requires security smarts, and not all developers are information security experts.

Invincea Labs researchers Joe Tanen (right) and then Scott Tenaglia (left) detail some of the security challenges of using open source firmware for IoT such as Linux-based OpenWrt, which Belkin WeMo devices employ.

Efforts are underway to build more secure IoT operating systems, for example, in the form of Google's Brillo OS and Weave platform for IoT development. But those efforts have yet to come to full fruition. And in the meantime, new IoT devices from numerous manufacturers are being churned out by the millions.

An explanation of how the FBI likely was able to quickly review 650,000 emails found on a computer shared by a top aide to Democratic Party presidential nominee Hillary Clinton leads the latest ISMG Security Report.

In the report, you'll hear (click on player above to listen):

Forensics expert Rob Lee explain how e-discovery tools likely made possible a rapid review of the emails found on the personal computer Huma Abedin shared with her estranged husband, former Rep. Anthony Weiner, despite the disbelief of some supporters of Republican candidate Donald Trump; ISMG Security and Technology Managing Editor Jeremy Kirk warn against jumping to conclusions based on technical evidence that suggests, but doesn't necessarily mean, that something illicit is occurring, such as links seen between the Trump campaign and a Russian bank; BankInfoSecurity Executive Editor Tracy Kitten preview the ISMG Fraud and Breach Prevention Summit in London on Wednesday, Nov. 9; An update on seven Indian embassies apparently being hacked, citing reporting by ISMG Principal Correspondent Varun Haran.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our Nov. 1 and Nov. 4 reports, which respectively analyze how lessons to remediate the year 2000 date problem can be applied to IT modernization and potential cyber threats that could damage the integrity of the U.S. presidential election. The next ISMG Security Report will be posted on Friday, Nov. 11.

Theme music for the ISMG Security Report is by Ithaca Audio under the Creative Commons license.

Most people have no idea what the Domain Name System is. For technical specialists, it can elicit a groan. But the DNS is essential for the internet, because it translates domain names into IP addresses that can then be called into a browser. It underpins essentially all of the internet, which wouldn't function without it.

But as with many critical components of the internet, DNS would have a very different structure if designed today. While a redesign could solve ongoing security and privacy concerns, it would be disruptive and require wide consensus.

"It's really easy to say 'Well, yeah, we can fix all of DNS's shortcomings if we just start over,' but that 'if we just start over' is such a big if," says Cricket Liu, DNS architect and senior fellow at the networking company Infoblox. "It's a protocol that really causes us fits."

Many of the security features within DNS have had to be grafted onto it, Liu says in an interview with Information Security Media Group. It's an attractive target for hackers because attacking DNS servers can cause services to go offline.

In October, the networking company Dyn was subjected to a withering attack against its infrastructure. Dyn provides outsourced DNS management services to a long list of popular websites, including Twitter, PayPal and Spotify. The attacks, which came from digital video recorders and other internet-of-things devices, made those services difficult to reach for some users (see Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).

In this audio interview (see link to audio below photo), Liu discusses:

Why the Mirai botnet will continue to affect DNS providers and other companies; What DNS providers will need to do to counter large botnets; Why defense against DNS attacks is difficult.

Liu has specialized in DNS for more than two decades. He worked at Hewlett Packard in the late 1980s and 90s before founding a DNS consulting company that VeriSign bought in 2000. As chief DNS architect with Infoblox, he studies how to protect infrastructure from disruptions.

How did the FBI approach its examination of the computer of Democratic Party nominee Hillary Clinton's close aide Huma Abedin to determine if the former secretary of state and senior assistant exchanged emails that contained classified materials?

ISMG turned to digital forensics expert and author Rob Lee to explain the process the FBI likely used to see if classified materials resided on the computer Abedin shared with her estranged husband, former U.S. Rep. Anthony Weiner, D-N.Y. The FBI had been examining the computer as part of a criminal probe into Weiner texting images of himself to an underage girl in North Carolina.

FBI Director James Comey sent a letter informing Congress in late October that the bureau would investigate emails on the Abedin-Weiner computer to see if it contained classified materials, shaking up the campaign less than two weeks before the Nov. 8 presidential election. This past summer, Comey had said the FBI concluded an investigation into Clinton's use of a private email server and determined she didn't do anything illegal, although he criticized her for having classified materials on it.

But on Sunday, Nov. 6, Comey released a new letter to Congress, saying the review of the Abedin-Weiner computer did not charge the FBI's conclusion expressed in July that Clinton should not be charged with a crime. Comey's latest letter did not provide details on what the investigation into the Abedin-Weiner computer found.

In the interview (click player above to listen), Lee:

Surmises how the FBI discovered the possibility that classified materials from the State Department could exist on the Abedin-Weiner computer; Describes the e-discovery tools the FBI likely employed to analyze emails and documents on the couple's computer; and Discusses the automated and manual processes likely used to determine whether classified materials exist on the computer.

Lee is an entrepreneur and consultant based in the Boston area, specializing in information security, incident response, threat hunting and digital forensics. He is the curriculum lead and author for digital forensic and incident response training at the SANS Institute. Lee has nearly two decades of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention and incident response.