Project Warwalk: Connected Devices and IoT

Welcome back and thanks for stopping by! For those new here, thanks for checking out Project Warwalk. You can check out all of our articles in the series here and visit the glossary to look up any terms. This entry is going to discuss network connected and IoT (Internet of Things) devices. We’ll be talking about the devices we discovered, didn’t discover, and some of the security issues generally attributed to this technology.

Barring routers, here are the devices we discovered:

  • Smart TVs: 6
  • Cars: 2
  • Climate controls: 7
  • Point Of Sale: 1
  • Printers: 87
  • Private subnets: 4
  • Wireless video bridges: 9
  • Smart refrigerators: 2
  • Speakers: 2
  • Unknown: 11
  • WiFi repeater: 1

We found sixteen devices that had weak or non-existent security in place. Of these devices, seven (44%) were printers. If we look at the percentage of all discovered printers with weak or no wireless security, it turns out to be 8%.

The most interesting finds were the cars, refrigerators, climate controls, and point of sales unit. Had we done this ten years ago, the chance of discovery of these IoT devices would be scarce.

If we had to venture a guess, based on the discovered network connected devices, if someone buys a smart TV, they may also buy a wireless video bridge because the TV may be too far from the home’s wireless access point and therefore have a weak signal. And of course, who wouldn’t want a wireless sound system so you don’t have to deal with cables?

The “Unknown” devices are labeled that way as their SSID(name of the network) doesn’t really reveal what they are. It could be a router/gateway, a printer, or some other IoT device.

While we didn’t delve too deep into looking for all the vulnerabilities that exist in all the devices we discovered, there was one that piqued our interest. It’s a specific device made by Netgear, which we put in the “Private subnets” category. The SSIDs are in the format of ngHub_319XXXXXXXXXX where the X’s could, as a best guess, be model number or serial number. This device is an access point typically for ADT security where wireless cameras and wireless touch screens connect. There’s an interesting post on a subreddit about someone talking about issues they are having which you can find here . There was also an issue for this device posted to a forum run by Spiceworks here. To sum up, the people posting their issue to Reddit and Spiceworks is that they are seeing WiFi being enabled and they want to shut it off, but Netgear support is saying the WiFi doesn’t exist for the device. People responding to these calls for help are also baffled by this. This leads to the what OWASP defines as its top issues for IoT devices.

According to OWASP (Open Web App Security Project), their IoT Top 10 list (2018) includes:

  1. Weak, guessable, or hardcoded passwords.
  2. Insecure network services.
  3. Insecure ecosystem interfaces.
  4. Lack of secure update mechanisms.
  5. Use of insecure or outdated components.
  6. Insufficient privacy protection.
  7. Insecure data transfer and storage.
  8. Lack of device management.
  9. Insecure default settings.
  10. Lack of physical hardening

To see more detail about these top 10 security issues with IoT, visit the OWASP Internet of Things Project

Other devices worth mentioning that we did not discover are:

  • Security/I.P./Nanny cams.
  • Micro-computing devices such as Raspberry PI.
  • Ring and other “doorbell” camera systems for both home and businesses.
  • Smartlocks

The reason we’re talking about IoT/network connected devices is that as we integrate more technology into the home and office, we all have to understand the risks of adding this stuff to our LAN(local area network), even more so if we haven’t taken precautions to secure our wireless access points. The likelihood of your network being exploited is increased by adding insecure devices where the vendors haven’t done their due diligence and aren’t checking for what’s on the OWASP IoT Top 10, at a minimum.

We’ll leave you with this piece of advice. When you add a new piece of technology, do your research before buying. Find out if these devices have been hacked before and use the OWASP IoT Top 10 list to guide your research.

Let us know your thoughts. What flaws/vulnerabilities have you found with IoT devices? Do you have a story of a device being attacked? Click here to contact us.

Thank you for reading and we’ll see you next time.