How your Refrigerator is a Threat and Why you Should Care: Attacks on IoT

Home » Sled Meta Blog » Security Research » How your Refrigerator is a Threat and Why you Should Care: Attacks on IoT
Last week, Wikileaks dropped an explosive number of documents related to their surveillance and hacking capabilities.  Much of this information included strategies related to IoT and household devices, such as the Samsung TV.  To be clear, the leak of CIA documents and data didn’t readily include usable source or exploit code for leveraged attacks, but was more of an internal wiki which provided information about available attacks and strategies used by the agency.   

In our research, it appeared that most of the exploits reference full-on remote access vulnerabilities, some of which were already known. Many of the documents outlined planned strategies or half-developed exploits, many of which requiring physical access to the device or the supply line.

WikiLeaks, in a statement, was vague about its source. “The archive appears to have been circulated among former US government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive,” the organization said.  

As the data dump is quite lengthy, let’s start with “Weeping Angel”.  This is an attack methodology that was recently published by Wikileaks and outlines that a Samsung TV can be hijacked using vulnerable firmware.  This was developed during a joint workshop between MI5 and BTSS (British Secret Service).  The recent reports disclose how to make the television appear to be powered off but in reality was being used to monitor targets. It describes the television as being in “Fake Off” mode.  Some key things to note is that when the television is compromised, it provides the attacker with a ported and modified TinyShell to provide shell, command execution, and file transfer capabilities.   

This functionality allows the television to be used as a monitoring device, as well as a pivot point for further attacks against devices on the network (persistence).  

The current versions of vulnerable firmware provide the following technical details: 
  • Video capture / Video snapshots
  • Max possible storage usage is 700MB (of 1.6GB).
  • The installation is similar to installing a standard Samsung application.
  • empDownload is the binary that downloads other apps or adverts and is executed by the system.
  • It appears to connect to Dreamhost and supports Telnet and FTP.
  • It has native WPA and iw wireless network capabilities. 
As a longtime security researcher, I tend to believe that these capabilities extend much farther than televisions.

So, you might be asking, “when is he going to tell me about my refrigerator trying to kill me?”. 

Who cares that my refrigerator can connect to the Internet?

When I’m working on a security engagement, be it red teaming or penetration testing, I tend to use a combination of attacks strategies and vulnerabilities.  For instance, I might use data collected from one environment, paired with something leaked onto the Internet, to formulate an attack strategy. For example, if a threat actor wished to assassinate a particular individual, they might use the following strategy leveraging a refrigerator and mobile device, to alter medications administered to the person.

We all know that refrigerators are primarily used for storing food, but one alternative purpose of refrigerators is to store medications, such as:
  • Actimmune – Used in reducing the number and severity of infections associated with chronic granulomatous disease. 
  • Ciprofloxacin – Used to treat infections of the skin, lungs, airways, bones, and joints caused by susceptible bacteria. Ciprofloxacin is also frequently used to treat urinary infections caused by bacteria such as E. coli. 
  • Humulin R – Used as a fast-acting form of the hormone insulin. It works by helping your body to use sugar properly. This lowers the amount of glucose in the blood, which helps to treat diabetes.
So, how exactly would a threat actor weaponize a refrigerator?

Reconnaissance (staging the attack)

If you read the commonly attached labels on your medications you will see several important pieces of information, including the prescribing doctor’s name, the facility that issued the prescription, the name and full address of the patient and quantities of refills.  It is also possible that a birthdate would be printed on the label, though a quick search of Facebook could provide that. 

If one were to hack the recently released Samsung “Family Hub” refrigerator, the same vendor as the vulnerable television, it would be possible to collect all of the above information using the internal cameras. The attacker could then place a call to the issuing pharmacy acting as the prescribing doctor, using the collected data, and request a change in dosage.  This could all be done remotely and without alarming the intended victim.

Let me outline what that attack might look like, using only the functionality provided above. 

The Attack

As an attacker, I would conduct a “watering hole attack” against the victim.  Using this methodology, I would purchase advertising space on a website that the victim frequently visits.  This can be determined by searching Google for forum posts or community websites where a victim is known to commonly visit, using a name or email address as the search term. After purchasing the advertising space, I would inject two versions of JavaScript or Flash into the hosted advertisement, one being benign and the other being malicious.  Knowing the region of the victim, I will only introduce the malicious version when the target client IP appears to originate from their known geographic area or ISP.  This is done to reduce the amount of security researchers or analysts that would stumble on my attack and notify the forum or website host and to reduce the scope of investigation.

Using BeEF (Browser Exploitation Framework), I would hook the victim’s browser.  This can be done using their mobile device or home computer.  In the past, I’ve preferred mobile devices as people rarely reboot them or close the tabs of previously viewed sites.
Once hooked, I would get their Internal IP Address and perform a CORS (Cross Origin Resource Sharing) attack.  This method would provide a map of all internal devices, such as televisions, refrigerators, and phones. After I found the refrigerator, I would perform a network services scan.  This would provide some options for remote attacks and the intended devices. Using the hooked device, it would now be possible to attack the targeted device, using the hooked device as a proxy. If remotely attacking the device wasn’t possible, one might redirect traffic using the router or alter DNS resolutions to provide malicious software updates.  Using the images collected from the device or with a connected mobile device application, it would now be possible to conduct a successful phishing attack on the pharmacy. 

What can you do about it? 

The first thing I recommend is reducing what we refer to as the “Attack Surface”. This requires disabling the amount of unnecessary features or network connections that a device can make.  One example is a recent visit by a satellite television company, in which I requested that my set top boxes not be connected to the applications, such as Facebook, Twitter, and Pandora.  This reduces the potential entry points into the targeted device. If you don’t wish to catalogue the rotting of produce in your refrigerator, you likely don’t need it connected to the Internet and Twitter.

Continually review and if possible, receive email updates as to when your registered devices have updates for firmware and installed applications.  Reputable vendors will continually make efforts to improve the functionality and security of their devices.  This is generally an easy update and can be done using the device’s remote control. 

When you purchase a new device for your home or office, don’t forget to change the default credentials!  These username and passwords are easily located on the Internet and allow unfettered access to your devices.  Most devices ship with preconfigured credentials, such as “admin” or “password”.

Finally, if you are a customer and subscriber of PacketSled services, you should routinely review your dashboard for connections to unknown hosts and applications that are using protocols such as Telnet and FTP, which were outlined as those used with vulnerable Samsung devices. The PacketSled platform also enables you review traffic to devices that are using default credentials.  I’ve provided some very simple examples below.  PacketSled is capable of performing incredibly complex search and analytics on live data, but these should be sufficient to get you up and running. Password Like Admin FTP Traffic Telnet Traffic
in Security Research by Patrick Kelley Comments are off

© 2017 PacketSled, Inc.