The IoT Nightmare – Attackers Can Compromise Apps, Steal Credentials

• Barracuda Labs runs remote IoT attack via web and mobile apps, with no product contact
• Vulnerabilities allow for credential theft, access to sensitive information like camera feeds. 

Over the past few years, the Internet of Things (IoT) has exploded into this massive phenomenon where every home appliance, big or small, needs to be connected to the Internet. A Barracuda Labs report shows that one of the biggest issues we've come to now is compromised credentials.

A new report coming from security experts over at Barracuda Labs focuses on IoT devices and the app vulnerabilities. As mentioned, there are numerous threats out there revolving around the Internet of Things. One of those is a credential compromise, where attackers use vulnerabilities in the web apps and mobile applications of certain IoT devices. Those credentials are then used by attackers to gain access to the video feed, remove videos from the cloud storage, read account information, and more. What's more, attackers use the credentials to push their own firmware update to the device.

The experts focused on a camera's web app and mobile app and found several issues. First, the mobile app ignores server certificate validity, the device updates are not signed and they ignore server certificate validity, making for a very complicated situation. By using these vulnerabilities, they managed to easily acquire credentials and compromise an IoT device. Even worse, since the attack happened via the web app and mobile app, they didn't even need physical contact with the device itself.

"This makes life easier for attackers. No more scanning on Shodan for vulnerable devices. Instead, the attack will be performed against the vendor’s infrastructure. It’s a threat that could affect other types of IoT devices as well, regardless of their function, because it takes advantage of the way the device communicates with the cloud," the researchers point out.

Huge Impact on Consumers

How could this impact you? Well, if someone was targeting you, they could end up controlling those cams you use for security at home. Not only could they capture sensitive footage, but they could also use the information regarding your schedule to burglarize your home.

IoT manufacturers need to learn to tighten up security, something that's being said for years. It's not just the devices that need to be safe, but also the web and mobile apps. Barracuda Labs advises companies to work on web application firewalls, add protection against network layer attacks and phishing, and improve cloud security.

"Vulnerabilities are somewhat inevitable, so signs of good reactions are quickly patching the vulnerability and adding that patch to any new devices being made in a timely manner," Jonathan Tanner, Senior Security Researcher at Barracuda told TechNadu. There are instances where a patch will be made but vulnerable devices will continue to be manufactured assuming users will download the patch. Unless updates are automatic users can't be relied on to update device firmware regularly enough for this to be a viable reaction. Making sure new vulnerable devices aren't being produced in a timely manner is an important step. Further, some devices are more difficult to apply firmware to make it less likely users will patch.

Safety First

Users need to make sure you research the product before you buy it. Start by researching the device manufacturer because there are a few companies that produce such devices and actually care about the security part of the problem, although clearly not all. Then, people should search for device vulnerabilities online, not necessarily regarding the product they're looking to buy, but other products from that manufacturer, as well as how the issues were handled.

"As for buyers maximizing their own security, they should change the default password on devices as soon as they set them up to something difficult to break. If possible, they could even go so far as deleting the default account and creating their own administrator username if this is supported. These won't guarantee account safety since there are sometimes hard-coded passwords and accounts or vulnerabilities in the web application, but it's a good start and these sort of things are exactly what security researchers tend to look for first when assessing devices," Tanner added.

The Barracuda Senior Security Research added that once accounts are set up more securely, users should look for additional ways to improve the security of the device. This varies depending on the type of device in use, but the things people could do to improve their security include enabling encrypted communication and disabling the ability to send information outside the local network. "The latter may limit access to apps remotely, so may not always be ideal but if a user doesn't intend to use any remote apps they should definitely disable the feature and should try to research that the communication to and from the remote servers is encrypted," the expert advises. "From a privacy standpoint, users should disable any data collection or telemetry going back to the company as well."

The report points out, however, that the amount of information available about the security posture of IoT devices is very low. Ideally, they state, IoT products would get safety rating scores, just like cars.

Do you have any IoT devices at home? How safe are they? tell us in the comments section below and please share the article online if you have the time. Follow TechNadu on Facebook and Twitter for more news and guides.