Securing IoT

Gertjan Groen

Almost all smart devices communicate wirelessly and in many cases via WiFi, so that they are automatically part of your network. This is very practical, because you can operate them directly with, for example, an app on your smartphone and often even remotely via the internet. But it also carries risks. Most devices in the Internet of Things are actually small computers with an operating system. If not properly secured, hackers get a chance to break in and take over the devices. There are plenty of examples of vulnerable IP cameras, but also baby monitors, doorbells, network video recorders, media players and internet radios. You have to be especially careful with cheap IP cameras. That is why we take them as a starting point in this article. But most of it also applies to other devices! We explain what risks there are and how you can limit them.

Devices such as IP cameras can pose a risk

VULNERABILITIES COPIED
If vulnerabilities are found in, for example, a certain IP camera, you often see the same vulnerability reflected in the cameras of dozens of other manufacturers, suddenly millions of devices become a risk. That’s because IP cameras use the same hardware and software, coming from a so-called OEM (original equipment manufacturer)-manufacturer. Just like in your smartphone, the heart of such an IP camera is formed by an integrated chip, also known as SoC (System-on-a-Chip) called. The chip manufacturer also supplies operating software, which may contain vulnerabilities. In practice, however, vulnerabilities are introduced via all kinds of extra applications by the OEM manufacturer, who often hardly takes the trouble to sufficiently secure the whole. It does not only concern devices that are sold in China, you will also find them in the Netherlands. Due to the poor security, you can easily view unsecured camera images via sites such as the Russian Insecam (insecam.org/). Also notorious are the search engines for internet-connected devices, such as Shodan (shodan.io).

Countless unsecured camera images have been viewed on Insecam for years

TAKEOVER OF DEVICE
The biggest risk for IP cameras is that they are taken over remotely. This can be done via the web interface, but also via services such as Telnet or ssh. Both services are intended for remote login so that – similar to the command prompt of your PC – all kinds of commands can be given or programs run. Although Telnet and ssh are not required to use the IP camera, they are often active. What makes the problem worse is that in some ‘dangerous’ models, some accounts are already active with preset passwords, which are also known to hackers. Or very weak passwords are used that are easy to crack. Furthermore, devices have been found in which Telnet is turned off, but can be switched on remotely with a command via the network or the internet. That makes you think.

Hackers gain access to the file system through backdoors (credit: www.pexels.com)

Last year, a researcher found such a back door in various IP cameras and network video recorders. And in 2019, researchers found that Imperial Internet radios had an undocumented Telnet service running with a very weak password that gave root access. You can compare a takeover of a device with the command prompt on a regular computer. With root access, virtually every conceivable activity is possible, including installing malware, adding the device to a botnet (see below), retrieving configuration information such as the WiFi password, or – as with the Internet radio – playing your own audio stream.

Botnets can control large numbers of IoT devices for attacks (credit: www.pexels.com)

ADVANCE OF BOTNETS
One of the main risks of backdoors in poorly secured devices is that so-called botnets can take over the devices. For IoT devices, even the term botthings suspicious. If a hacker has penetrated through automated scripts, the device tries to infect other devices and remote control is activated from so-called command & control servers. A botnet can cause a lot of damage, for example by shutting down servers, websites or payment systems via massive distributed attacks, so-called DDoS attacks. That is a kind of bombardment of requests for, for example, a website that cannot protect itself against it because they come from everywhere, controlled from the command & control servers and executed by the infected devices in the botnet. Large parts of the internet were shut down several times. The Mirai botnet is known, but based on that source code, more advanced variants such as IoTroop and Satori are also in circulation.

Port forwarding forwards certain ports from the Internet to local devices

NETWORK CONNECTIONS
Even if Telnet or ssh is open, for example, an attack from outside via the internet is not immediately possible. The firewall in the router ensures that the device is not directly accessible from the internet. This is only possible if a certain port has been opened up with a so-called port forwarding rule, whereby traffic on a certain port on the internet side is forwarded to a port on the device. There is a mechanism that UPnP (Universal Plug & Play) is called, where devices such as game consoles or certain applications such as file sharing being able to open ports in the router in the network itself. We recommend disabling such a feature on your router. A single device may then stop working, but you can set a manual port reference for that. How you set that up differs per router. Complete websites have been made for it (such as https://portforward.com) that explain it.

An app provides easy access to camera images, also from the internet

CLOUD AND P2P CONNECTIONS
The fact that devices can always connect to the internet themselves means that they can sometimes open the door themselves. For example, many IP cameras build a cloud or peer-to-peer (P2P) connection, sometimes right from the moment you turn on the device. The idea is that with an app on your smartphone such as XMEye or CamHi you can watch images from your camera directly, even when you are on the road – ie via the internet. Usually you only need to enter a number printed on a sticker on the device, for example. It also often turned out to be derived from the MAC address (a unique identification number in the network) of the camera. And in several cases it was simply numbered sequentially per device. That makes unwanted viewing of streams very easy. A single p2p server still asks for a password, but often the default password works (because many users don’t change it) and often there are even undocumented user accounts that provide access. Hackers know these too.

More than 3.7 million IP cameras, partly in the Netherlands, contain a vulnerable p2p service

BACK DOORS
The p2p facility is intended to increase ease of use, but usually the security is very poor. For example, many devices with iLnk P2P installed on IP cameras, webcams, baby monitors and doorbells are vulnerable. The map at https://hacked.camera/map/ shows more than 3.7 million vulnerable devices worldwide. XMEye P2P Cloud also appears to be poorly secured and is installed on an estimated nine million IP cameras from more than a hundred (!) manufacturers, all made by the Chinese OEM manufacturer Hangzhou Xiongmai Technology. That number is not just out of the blue, but based on scans by researchers of active devices on the internet. Adding to the problem is that the poorly secured p2p facility also gives hackers the chance to break into the camera through a back door. Xiongmai’s devices have often been misused for attacks via botnets. Finally, remember that the camera images can be stored or analyzed on the p2p server itself.