Tuesday, January 19, 2016

PSA: Tamper With A IoT Doorbell -> PWN A Network

Hello out there, and thank you for stopping by again! I'm coming to you today with a fun little factoid, and to point out a larger issue with IoT or Internet of Things devices. Hope you enjoy! Let me know what you think. 

Recently IoT devices have taken off in popularity. I'm sure you're all familiar with the networked power adapters that provides power control over your home network to devices connected to AC power. (If not see the picture of the Belkin WeMo.) The market since the introduction of these kinds of devices has exploded.

Belkin WeMo
The deluge of cheap ready to use, plug and play IoT devices seems to have saturated every corner of the online retail market. From pages of Amazon to the bid sniping battles of ebay. It seems that every electronics manufacture out there is rushing to have you buy their next great gimmick. From thermostats, to lighting, to even security systems, all connecting directly to your home network. Forget to turn the heat down? Do it with your phone. Didn't turn off the lights? There's an app for that. Want to keep your house safe while you're away? There's a system for that. You're probably thinking your life couldn't be safer or more convenient with IoT, right? Then you're thinking wrong.... Well wrong-ish. And this takes us to the following example.

Ring with mounting plate
The fine researchers over at Pen Test Partners (their site here) recently discovered a novel hack, that let's you steal WiFi encryption keys. Through one of these new IoT devices. Introducing; Ring Doorbell from ERA Home Security. This little device appears pretty innocuous at first glance. In fact it has some nice features. Basically, it acts like an automated doorman of sorts. Ring is meant to mount outside your home, and send alerts to your cellphone whether at home or away. It's equipped with an on-board camera that will broadcast to your mobile device and allow you to interact with the person at your door. Sounds like an extra layer of security right? Well it would be if not for 2 flaws in its design.

Ring mounting screws
The first flaw is in it's construction and installation. Home users want ease of installation. To provide this for their users, Ring provides an easy to install mounting plate. Once the mounting plate is in place the Ring unit drops in and is secured to the mounting plate by 2 torx (see pictures). Ring is offered with a free replacement if stolen, so theft of the unit is really a non-issue. And none of these construction flaws really matters if it weren't for a software flaw that is exploited through the use of the GIGANTIC ORANGE setup button on the back of the Ring. When depressed the Ring goes into an AP (access point) setup mode. Then you can connect to it with ease and pull the SSID (network name) and wireless passcode in plain text from a simple URL in the Ring's interface. All that needs to be done after that is for the doorbell to be put back in place, and for the tamperer to walk away with your creds.
Back of device
So what?! Someone can get free WiFi... What's the big deal? Well here's the point. You bought something to make your home more secure, and in turn you left your home network vulnerable. It may not seem like much, but chances are you're transmitting a lot of secure data on your home network. Stealing your data potentially has way more value and far less risk than anything that could be physically stolen from your home. With anytime access to your home network in the wrong hands, you're screwed!

(In the interest of full disclosure, Ring did fix the software within three weeks of Pen Test Partners reporting it to them, and a simple firmware update will eliminate this particular exploit. Go HERE for the full write up on the exploit mentioned above.)

So now we're to the end, and this is where I make my point. A lot of IoT devices have these kinds of issues. The Ring is no exception, it was merely the latest example. Most of the exploits found in IoT devices have been due to a complete lack of thought being put into security. Many manufactures in their rush to release a visually appealing device into the market, have accepted sloppy/ bad coding. I have followed many IoT exploits, and I make no claim to be a good coder. But the fact is that I'm a shit programmer, and have been able to spot the errors in the code of exploited devices.

If you're going to use IoT, please research the devices you plan to purchase before you do. Make sure it's made by a reputable company. Google search for known exploits for that device. Once you've deployed IoT at home, check for firmware updates regularly. Connect your IoT devices to a separate network in your house than the one you do everything else on. This will require another router to be purchased, but a router is cheaper and easier than trying to clean up your credit later.

Thanks again for stopping by, and reading. Hope you found the post informative and entertaining. Please, share and comment. As always, have a good day, and hope to see you in the future. 

-Chali Baicunn