Think twice before buying an internet-connected home appliance, recommends Sam Quinn, a security researcher at McAfee. And with good reason. He and his colleagues recently uncovered two security flaws in smart home devices, one of which can give hackers backdoor access to your home network.
The insecurity of the Internet of Things (IoT), the collective name for all the various devices that are being connected to the internet, is nothing new. In the past few years, there has been no shortage of privacy and security incidents related to IoT devices, including a major internet blackout in large swaths of the U.S. in 2016. There’s even a Twitter account that follows the, err, shitty state of IoT security.
The findings of the McAfee researchers, which were presented at the Mobile World Congress on Monday, are a reminder that even the most innocent-looking smart home gadgets can turn into security nightmares, and the consumer IoT industry still has a long way to go.
Coffeemaker gives hackers foothold in your home network
Mr. Coffee makes an internet-connected coffeemaker that is supposed to make your life a little easier. You can schedule and remotely control Mr. Coffee with its associated mobile app. You brew coffee from your bed and know when your coffee is fresh, an ad for the smart coffeemaker says.
But this particular Mr. Coffee is also a fully-featured, internet-connected Linux computer. So while it makes your life a little easier, it might also make it a little less secure.
Mr. Coffee connects to your home Wi-Fi network and receives commands from the Wemo app, a platform for smart home appliances. Quinn and his colleagues discovered that data exchanged between the Wemo app and Mr. Coffee machine are in unencrypted format.
The McAfee researchers were able to collect, manipulate and resend the command data to the coffeemaker through another program. The device executed the command and made no sort of validation to make sure it was coming from an authentic device.
This means an attacker could annoy you by sending commands to your coffeemaker and to forcing it to change its brewing schedule.
But while a tampered coffee-brewing schedule is a mild nuisance, what was more concerning was that Quinn found that they could send custom command templates to the Mr. Coffee machine and trick it into executing arbitrary commands.
Exploiting this vulnerability, the researchers commanded the device to download and run a customized version of Netcat, a communications program that can give you remote shell access to a computer. This gave the researchers full control over the Linux operating system of Mr. Coffee.
To exploit the vulnerability, an attacker would need to be on the same Wi-Fi network as the Mr. Coffee device, which makes it difficult but not impossible, given that many users put very weak passwords on their Wi-Fi networks. While a compromised coffeemaker itself might not hold information of much value, it can give attackers a valuable foothold into a home network.
“Targets like coffeemakers serve as excellent covert pivot points for further movement in the network. They are often unmonitored from a security perspective, and once compromised, the attacker can issue legitimate commands from inside the network to gain access to other devices such as smart TVs, surveillance cameras and other IoT devices on the network, all without any risk of being discovered,” Steve Povolny, head of McAfee Advanced Threat Research, told the Daily Dot.
This vulnerability could also allow an attacker to turn your coffeemaker into a botnet, a device that can be used in various types of coordinated cyberattacks such as distributed denial of service (DDoS).
“This vulnerability shows that not all exploits are overly complicated or require an exceptional amount of effort to pull off, if you know what to look for. This vulnerability exists solely because a few poor coding decisions were made in conjunction with a lack of input sanitation and validation,” Quinn said.
McAfee reported the vulnerability to Belkin, the manufacturer of Mr. Coffee, in November. “While the vendor actually never responded to this report, we were surprised to see that the latest firmware update has patched the issue. Despite a general lack of communication, we’re pleased to see the results of our research further securing home automation devices,” Quinn said.
Smart lock bypassed with simple Bluetooth trick
BoxLock is an internet-connected padlock that can be programmed to unlock by scanning a barcode on your packages. You place it on a container in front of your home and use its associated mobile app to configure your package barcode. When the delivery person comes to your home, they scan the package to unlock BoxLock and place your parcel in the box.
BoxLock is meant to protect you against package theft, a problem that has grown as the popularity of online shopping and package deliveries has increased.
However, Quinn and Philippe Laulheret, another McAfee security researcher, discovered that they could unlock BoxLock without having a legitimate barcode.
BoxLock connects to your phone through Wi-Fi and Bluetooth Low Energy (BLE) connections. By probing the BLE unit, the researchers discovered that they could open the BoxLock from a phone that had never connected to the device and didn’t have the BoxLock app installed. All they needed to do was to pair their phone with the lock, run a few queries, and spoof the unlock command.
To stage this attack, an attacker must be within BLE range of BoxLock, approximately 30 to 40 feet.
“However, for someone looking to steal packages, this would not be a challenge difficult to overcome, as the unlocking attack could be completed very quickly and easily, making the bar for exploitation simply a smartphone with Bluetooth capability. The ease and speed of the exploit could have made for an enticing target for criminals,” Quinn said.
BoxLock updated both the mobile app and the device’s firmware within a week of being informed by the researchers.
“Vulnerability disclosure can be a challenging issue for any company to deal with, but BoxLock was incredibly responsive, easy to work with and immediately recognized the value that McAfee ATR had provided. Our goal is to eliminate vulnerabilities before malicious actors find them, as well as illuminate security issues to the industry so we can raise the overall standard for security,” Quinn and Laulheret noted.