At the annual RSA conference this year, on April 19th, CTO, Stephen Ridley, and our VP of Research, M Carlton, will take the stage to demonstrate the first ever purely IoT-based lateral attack. We intend to show how it’s possible to daisy chain several compromised IoT devices together -- without touching a traditional computer -- to ultimately get to a company’s “crown jewels”.
Lateral attacks between different types of IoT devices have been referenced but never before publicly demonstrated. Worms that spread from PLC to PLC (programmable logic controller) are a threat to manufacturing, and botnets that spread from camera to camera have had a huge impact in the last few years. However, attacks taking over a network, device by device, has remained largely within the sphere of pundits and hypothetical discussions.
Lateral attacks are known to take place in traditional IT environments, which include employee workstations, networks, servers, etc., and are typically well secured. In these attacks computers and networks are compromised, which then allows a hacker to gain access elsewhere, like a server. Unlike those attacks, we hop from IoT device to IoT device -- no workstations touched -- to gain access to a Networked Attached Storage (NAS) device (yet more IoT) that contains sensitive information.
Our research is an integral part of Senrio culture that informs our approach to addressing IoT security problems. Demonstrating the ability to hopscotch across IoT devices without touching an IT end-point helps us illustrate the very real and persistent risks associated with IoT devices that are in use in a wide range of industries and enterprises today.
People tend to think about lateral attacks as being solely within the realm of sophisticated attackers, but as we explored this project in more depth, we came to realize that this attack requires very little technical knowledge. In fact, anyone who understands basic networking and can use the Linux command line could conduct a hack like this.
After we published vulnerabilities in two different IoT device last year, we decided to tackle the problem of, “then what?” After an attacker compromises a camera or gains control of a router, what happens next?.
In the attack on Thursday, we’ll use the vulnerabilities (both patched) we discovered in 2017 to attack an Axis surveillance camera and TP-Link Router to ultimately gain access to a Networked Attached Storage device (NAS). As the name suggests, a NAS device is connected to the network, giving employees the ability to share files between computers. By targeting the NAS device, we’ll be able to extract sensitive data from our target.
The Axis camera is vulnerable to Devil’s Ivy, a flaw found in an open source third-party code library that impacted millions of IoT devices. The TP-Link router flaw has a logic flaw in a configuration service which allows attackers to circumvent its access controls and reset the router’s credentials. With increased access, we can then exploit a stack overflow vulnerability available through the configuration service.
The camera is our entry point into the network, enabling us to compromise the router and change its rules and settings so we can communicate directly with the NAS device. We’re also able to steal NAS credentials by watching the camera’s videofeed while an employee enters their username and password. Once on the network, we exploit the router and change the firewall rules to forward traffic from the router to the NAS. This allows us to steal our target’s sensitive data.
This will be be the first time an attack like this will be demonstrated publicly. The common nature of the devices in question, and the low level of sophistication required to succeed, suggests that such an attack happening in the wild is well within the realm of possible. With the release of Autosploit, a tool available on Github that automates the exploitation of remote hosts, IoT devices are even more vulnerable. Autosploit combines the hunting of publicly known IoT devices, with Metasploit -- enabling a hacker to automate the process of remotely exploiting IoT devices.
This attack targets the CISO blindspot: IoT devices are regularly left unsecured, are talking to the network, and are open to being exploited. Even a security-forward company with workstations and servers locked down could be compromised by this attack, because IoT devices are more difficult to secure than their IT counterparts. IoT vulnerabilities are pervasive, leaving even the most forward-leaning companies vulnerable to IoT threats.
To see the complete attack, end-to-end, come join us at RSA’s IoT Sandbox at the Marriott Marquis, on Thursday, April 19th at 3 p.m, and visit our blog after the talk for a full technical teardown and analysis.
Get Senrio nowREQUEST A BRIEFING