Working and living areas are getting smarter every year as owners adopt new technology and continuously upgrade old devices to fit into modernized spaces. This has enabled many professionals to work or run their business virtually from home. International conferences can be conducted from home office spaces, major projects can be managed and modified online, and much more can be done with the help of smart machines. Unfortunately, unprotected devices are seen as low-hanging fruit by cybercriminals, used in criminal campaigns or leveraged to gain deeper access to home networks.
Attackers targeting smart home devices are tenacious because these machines are proliferating, and becoming more powerful and valuable targets. Because of this, attacks continue to evolve to keep pace with the advancement of these technologies. This November, Pwn2Own 2021 Austin, a competition created to help discover (and subsequently patch) critical vulnerabilities, highlights security issues in the devices that surround homeowners and virtual workers. The same devices that enable professionals to manage their work from home can be used to gain access to private enterprise information or even be used in a cybercriminal campaign.
Cyberthreats that affect home workers and smart home owners
Threats to home and work devices
Modern homeowners and many users working from home have installed smart printers, network attached storage (NAS), speakers for home automation, smart televisions, and more. Unfortunately, cybercriminals targeting these devices are persistent and the attack surface of IoT is broad. It isn’t hard to find security gaps within the many smart devices being used at home.
Smart speakers, which can be used to operate other devices in the house, can also be abused to phish information and listen to users. In 2020, a Mirai variant was found attacking vulnerable NAS devices, trying to turn them into bots to be used in malicious activities. Ransomware was also seen targeting NAS devices. And just this year, several critical vulnerabilities dubbed PrintNightmare were discovered in the PrintSpooler service that affected all Windows versions running the said service. If exploited successfully, the vulnerabilities would allow attackers to execute remote code on devices with PrintSpooler.
Device attack scenarios
- Attacks through unprotected connected devices: Cybercriminals can use compromised routers or other connected devices and spread further.
- Exploited vulnerabilities: Cybercriminals can take advantage of unpatched or outdated firmware to take over or compromise the device. They can also use a chain of multiple vulnerabilities to achieve the takeover.
- Physical tampering: Cybercriminals can tamper with smart cameras outside homes or use unprotected devices to access the home network.
In the NAS category, a team from Pentest Unlimited used a three-bug chain that included an unsafe redirect and a command injection to get code execution on the Western Digital My Cloud Pro Series PR4100. In the same category, the STARLabs team combined an OOB Read and a heap-based buffer overflow to exploit the beta version of the 3TB My Cloud Home Personal Cloud from WD. And in the printer category, the Synacktiv team used a heap overflow to take over the Canon ImageCLASS printer. The team from F-Secure Labs used a single stack-based buffer overflow to take over the printer and turn it into a jukebox. For smart speakers, the Synacktiv team used a stack-based buffer over to compromise the Sonos One speaker and play a tune.
Threats to mobile devices
In the first six months of 2021, Trend Micro detected more than three million mobile-related malicious samples. The pandemic forced many people to click on more links for daily news, access work email from personal devices more often, and also download more applications for business reasons as well as to manage health concerns. Because of this, cyberthreats targeting mobile devices skyrocketed. In one industry, mobile phishing threats reportedly rose 161% from the second half of 2020 to the first half of 2021. Threats are also becoming for sophisticated — for example, zero-click attacks on iPhones were spotted in September. These types of attacks don’t even need user interaction to compromise the device.
Mobile attack scenarios
- Falling for phishing: Cybercriminals trick users into clicking malicious links that could lead to malware.
- Downloading fake apps: Cybercriminals trick users into downloading unwanted or malicious apps including cryptocurrency miners or information stealers.
- Connecting to unsecured networks: Cybercriminals may track the data being sent to and from mobile devices.
Contestants tried to compromise devices by browsing web content in the default browser for the target under test or by communicating with the following short distance protocols: near field communication (NFC), Wi-Fi, or Bluetooth. A team from Pentest Unlimited was able to get code execution on a Samsung Galaxy S21 using three chained vulnerabilities.
Threats to routers
Routers are an appealing target for cybercriminals because they are the gateways to smart spaces. All the devices, from home automation speakers to company laptops, are connected to the router. This means that if a cybercriminal compromises the router they can often capture the other devices connected to it. For example, in 2019, an attacker took advantage of poorly configured routers to push a specific message onto vulnerable Google Home devices, streaming dongles, and smart TVs. In 2020, we saw that there were still thousands of routers infected with VPNFilter, which was heavily reported on in 2018 and supposedly controlled via several mitigation techniques from vendors. In July 2020, we also reported on three botnets that were battling for dominance over vulnerable routers and other internet of things (IoT) devices. The botnets try to infect and turn routers into bots to be used in performing attacks (mainly denial of service attacks) and other malicious activities.
Router attack scenarios
- Attacks against unsecured routers: Cybercriminals can exploit security gaps in outdated hardware and software or compromise the router if default passwords have not been changed.
- Exploited vulnerabilities: Cybercriminals can use exploits against routers with unpatched vulnerabilities to take over the device. For example, if attackers exploit vulnerabilities and are able to execute arbitrary code, they may be able to take control of the router.
- Exploited misconfigured routers: Cybercriminals can take advantage of routers that are not set up properly; for example, one with a misconfigured firewall.
In the router category, participating teams attempt to launch an attack against the target’s exposed network services from the contestant’s device within the contest network. Team Orca of Sea Security leveraged a logic error to compromise the WAN interface of the Cisco RV340 router. The same team also used an OOB Read bug to take control of the TP-Link AC1750 router via the LAN interface. The Flashback team used an impressive stack-based buffer overflow to get code execution on the WAN interface of the Cisco RV340 router. And, the team from IoT Inspector Research Lab used three unique vulnerabilities, including an authorization bypass and a command injection, to get code execution on the Cisco RV340 via the LAN interface.
Security Recommendations and Solutions
The Pwn2Own competition probes today’s largest and newest enterprise attack surface: the home office. The results show that even the latest models of the smart devices used in these work spaces are vulnerable to cyberattacks that can compromise business security. As discussed in this article, this increased risk is something that security leaders and practitioners must pay attention to.
These smart devices are known as easy targets for many reasons: users are less likely to patch their IoT devices, operating systems have no auto-update features, and manufacturers rarely issue security updates for vulnerabilities. These factors make it necessary for users to proactively protect the devices that are used daily in home work spaces.
The following best practices should be put in place to reduce the IoT attack surface and mitigate malicious activity:
- Change default credentials or consider adding authentication and authorization mechanisms
- Update the device firmware to patch exploitable vulnerabilities
- Ensure that other systems or devices, particularly routers, are also updated and secure
- Enable the devices’ built-in security features
- Install multilayered and comprehensive security solutions