UPDATED March 12 with note that Reolink has patched its security-camera firmware.
SAN FRANCISCO -- One simple but scary theme stood out at the RSA 2019 conference here this past week: Serious security problems with smart-home gadgets and other Internet of Things devices are widespread, systemic and getting worse.
Half a dozen presentations demonstrated how to hack home smart alarms, smart teakettles, networked storage drives, children's dolls, kids' GPS tracking watches, vehicle roadside-assistance services and smart-home automation systems.
More cheap home security cameras were hacked into than we could count. During the conference, one security firm released a video that showed how to hack into third-party smart car alarms to carjack moving vehicles.
Most of these IoT devices made rookie security mistakes that would not be tolerated in smartphones or PCs. The researchers stressed that many smart-home gadgets, despite having different purposes, shared back-end cloud servers that could be remotely compromised, or shared firmware that could be easily hacked. They added that many smart-home device makers seemed to have no interest in improving device security or keeping customers safe.
Dangerously sloppy security
"If we don't address this now, systemic flaws will accelerate further," said Ken Munro, founder of Pen Test Partners, a British firm that analyzes IoT security. "I had thought things would get better on their own, but they're getting worse."
Pen Test Partners made a name for itself in 2015 by revealing that the My Friend Cayla smart doll could be used to spy on children and their parents, which led to the doll being banned in Germany. More recently, the firm has shown how the apps monitoring kids' GPS tracking watches can tell pedophiles where children are playing. Both problems stemmed from sloppy security.
At RSA, Munro showed how a smart teakettle that lets you boil water from your phone -- "It can save you 30 seconds of your day for $100," he quipped -- could be accessed wirelessly and completely taken over from any laptop, without a password. The teakettle also revealed the owner's home Wi-Fi password in plaintext.
"I can drive past your house and grab this [password]," Munro said. As he had bought several of these smart kettles on eBay (the vulnerable model is no longer sold in stores), he added that "I know the original owners' home addresses, so now I can get on their networks."
Hacking a teakettle is cute, but hacking roadside-assistance services and other so-called telematics services built into modern cars is more serious. GM's OnStar was the pioneer in this field, but now most car makers offer vehicle telematics systems, which among other things let service technicians remotely unlock and start vehicles for owners via cellular connections.
Pen Test Partners found that cracking the transmission encryption on one carmaker's telematics system was trivial, and that an attacker could send malicious commands to a vehicle from his own GSM-enabled laptop. Even worse, the attacker could get into the back-end telematics system and communicate with as many vehicles as he liked, even some made by different car makers.
Grand theft smart auto
On Friday (March 8), Pen Test Partners posted research online showing how two well-known brands of aftermarket car alarms could be hijacked and controlled by an attacker armed only with a smartphone. The alarms have been installed on an estimated 3 million vehicles worldwide.
Hackers could get the vehicle's make and model, its current location and its owner's name. They could disable the alarm, unlock the doors, disable the legitmate owner's key and even shut off the car's engine or eavesdrop on what the driver and passengers were saying.
Pen Test Partners posted a video on YouTube showing a controlled test in which an attacker geolocated a moving Range Rover through the car-alarm smartphone app, chased the Rover in a second car, turned on the Rover's alarm so that the driver pulled over, shut off the engine and unlocked the Rover's doors.
"Now if you want to take the car, you can just stop the engine to order," Munro says in the video. "Unlock the vehicle, grab the driver, pinch the keys and you're off. This is crazy."
Both smart-alarm makers said they'd fixed the flaws behind this attack. The problem was simple: Their websites let you change the email addresses linked to existing accounts without authorization. Once you'd done that, all you had to do was request a password change to completely gain control.
Striking at the heart of the smart home
In a separate RSA presentation, Stephen Hilt and Numaan Huq from Trend Micro showed how smart-home automation systems, which make it easy for the home owner to control a dozen different smart devices via a voice assistant or a smartphone app, also make it easy for hackers and burglars to break in both digitally and physically.
Whether the smart-home automation system is a "bolt-on" wireless one assembled in bits and pieces by the homeowner, or a "built-in" one with dedicated server boxes, Ethernet cables and wireless access points, the various parts, ports and manufacturers involved simply create far too many ways for bad guys to get in, Hilt and Haq showed.
The researchers hacked into an automation system, then used a a smart speaker to give commands to a smart home's voice assistant, which then let them unlock doors, turn off the home alarm, turn on the lights and even start the owner's car with voice commands. They also figured out how to spy on a home using the home's own security cameras -- over Slack.
"Complexity is the new enemy," Hilt and Haq said in their presentation. "Today's society is adopting connected technologies faster than we can secure them."
I see you and everything you do
Alex "Jay" Balan of Bitdefender showed RSA attendees that four different cheap Chinese security cameras sold under the Geenker, Keekoon, Reolink and Tenvis names had terrible security. Most could be accessed over the internet via Telnet, the 1970s network protocol with no encryption. Anyone with mid-level coding skills could dial into the cameras from anywhere and watch you at home. (UPDATE: Reolink reached out to us to say it had patched the flaws with a firmware update.)
Sherri Davidoff and Matt Durrin of LMG Security used the same Tenvis model that Balan broke into to show how criminals could plant cryptocurrency-mining malware in cheap security cameras to make money. That camera's motherboard is used by hundreds of other security camera models, the researchers said, and most run the same lightweight version of Linux.
"If the average infected [security-camera] system generates $0.25 of Monero [cryptocurrency], that's not much -- unless you control 2,000 infected systems," Davidoff said during their presentation. "The rush to get IoT devices out to market doesn't bode well for cybersecurity."
It goes beyond coin mining. Candid Wueest of Symantec showed RSA attendees how infected smart TVs, routers and other smart-home devices could be used to launch DDoS attacks against websites, send out spam emails, steal secrets from device owners and even blackmail owners by threatening to release embarrassing footage captured by hacked security cameras.
It's bad, and it's nationwide
Himanshu Mehta of Symantec and Harshit Agrawal of MIT pointed out that smart-home and IoT devices have lots of problems: weak or hardcoded administrative passwords, or no passwords at all; unsecured network services; unsecured cloud interfaces; a lack of secure firmware updates; and outdated components.
"The current state of [wireless] IoT security is the same as web security back in the 1990s," Mehta said during their presentation.
Other researchers at RSA echoed that sentiment, saying that terrible security is the rule, not the exception, with smart-home and IoT devices.
As an example, Munro pointed out the Mirai botnet, which knocked large portions of the internet offline in October 2016 and was seemingly designed to hack all sorts of IoT devices. Yet the malware targeted cheap small-business DVRs using a single kind of Chinese DVR firmware. That firmware had been copied, reused and repurposed for many other inexpensive IoT devices, including security cameras, TV set-top boxes, VoIP phones, two-way speakers, printers and routers. All were infected.
Munro cited a case where Pen Test Partners hacked into a smart hot tub's cloud server to raise the temperature. But that compromised server also handled "smart" trucks and medical devices -- a common situation in which many different IoT devices with different purposes use the same cloud back-end. If the cloud server is broken into, then so are all the devices.
"You're now exposed to other IoT vendors' security," Munro said.
Balan pointed out that for the past four years, he and other Bitdefender researchers have been trying to notify IoT and smart-home device makers of problems in their firmware and software. Yet, he said, they never even got replies from most vendors. He added that if a smart-home vendor didn't have a "bug bounty" program inviting hackers to find flaws, then the vendor's devices almost certainly had critical firmware flaws.
"It truly is a gift that keeps on giving," Balan said.
Joshua Meyer of Independent Security Evaluators gave a live demonstration at RSA in which he used several different methods to hack into a TerraMaster F2-420, a $300 network-attached storage drive with a nice-looking local web interface. (The problems have been fixed.)
Meyer pointed out that despite the well-documented history of IoT security shortcomings, more IoT and smart-home devices entered the market every year without any improvement in overall device security.
"We need to fix this," Meyer lamented. "I can't tell you exactly how, but someone needs to fix it."
Glimmer of hope
During his RSA presentation, Munro said such fixes may be coming from legislators and regulators. He cited a European certification framework and a British code of conduct as tentative steps toward greater smart-device government oversight. But his favorite was California SB 327, which mandates security on IoT devices by Jan. 1, 2020.
Munro called the California law "a huge step forward."