Hacking an intensely personal use case for IoT.

Hacking IoT: Case Study on Baby Monitor Exposures
and    Vulnerabilities 





My research presented focuses on the security of retail baby
monitors for a number of reasons. Baby monitors fulfill an intensely personal
use case for IoT. They are usually placed near infants and toddlers, are
intended to bring peace of mind to new parents, and are marketed as safety
devices. By being Internet accessible, they also help connect distant family
members with their newest nieces, nephews, and grandchildren, as well as allow
parents to check in on their kids when away from home. They are also largely
commodity devices, built from general purpose components, using chipsets,
firmware, and software found in many other IoT devices. Video baby monitors
make ideal candidates for security exploration; not only are they positioned as
safety and security devices (and therefore, should be held to a reasonably high
standard for security), but the techniques used in discovering these findings
are easily transferable to plenty of other areas of interest. Other products of
direct interest to commercial and industrial consumers and security researchers
(commercial security systems, home automation systems, on-premise climate
control systems) share many of the insecure design and deployment issues found
in video baby monitors.



While video baby monitors are vastly more commonplace in a
home environment and uncommon in an office environment, office environments and
home environments are, increasingly, literally the same environment. The
percentage of employees and contractors who are working from home on at least a
part time basis continues to rise across every modern economy. parents are
traditionally at the core of this trend, though it is increasingly common
across all genders, ages, and family statuses4 . These employees are, as a
matter of necessity, connecting to their workplace virtually, either through
VPN connections or through the use of cloud services shared by colleagues. The
presence of devices that are insecure by default, difficult to patch, and
impossible to directly monitor by today’s standard corporate IT security
practices constitutes not only a threat to the IoT device and its data, but
also to the network to which it’s connected. As the IoT is made up of general
purpose computers, attackers may be able to leverage an exposure or
vulnerability to gain and maintain persistent access to an IoT device. That
device can then be used to pivot to other devices and traditional computers by
taking advantage of the unsegmented, fully trusted nature of a typical home
network. Today, employees’ home networks are rarely, if ever, “in scope” for
organizational penetration testing exercises, nor are they subject to
centralized vulnerability scanners. Another concern is the raw computing power
available to attackers in the form of millions to billions of IoT devices. In
total, the teraflops of processing power may be effectively harnessed by
malicious actors to launch powerful distributed denial of service (DDoS)




One of the goals of this research is to practice reasonable,
coordinated disclosures with vendors of IoT equipment. So, as a matter of
course, the vulnerabilities discovered as part of this research were reported
in accordance to Rapid7’s Vulnerability Disclosure Policy. According to this
policy, vendors are contacted once the findings are verified, then after 15
days, CERT is contacted. 45 days after that (60 days after the initial
disclosure attempt), the findings are published. During the course of the
vulnerability disclosure process, we saw vendors exhibit the entire range of
possible responses. One vendor was impossible to contact, having no domain or
any other obvious Internet presence beyond an Amazon store listing. Some
vendors did not respond to the reported findings at all. Others responded with
concerns about the motives behind the research, and were wondering why they
should be alerted or why they should respond at all. On the exemplary side, one
vendor, Philips N.V., had an established protocol for handling incoming product
vulnerabilities, which included using a documented PGP key to encrypt
communications around this sensitive material. Philips was also able to involve
upstream vendors in pursuing solutions to those technologies provided by
others. Weaved, a provider of an IoT-in-the-cloud framework for Philips, was
especially open with and responsive to the authors of this paper. The range of
responses itself is worrying, and representative of the IoT industry as a
whole. While it is possible for an organization to maintain a flexible, mature
process for handling unsolicited vulnerability reports, it is far from the
norm. It is hoped that the publication of these findings will help IoT vendors
establish reasonable, effective vulnerability handling practices.





It is the authors’ hope that everyone who reads this paper
has a better sense of security issues facing the current generation of the
Internet of Things. While we take great pride in performing research on individual
IoT devices that have real-world benefits to consumers and businesses, we also
realize that those efforts alone don’t scale to the massive size and growth of
IoT. In February 2014, Mark Stanislav co-founded the IoT security initiative,
BuildItSecure.ly.9 Through vendor outreach efforts, BuildItSecure.ly not only
provides curated information security guidance to IoT vendors of all sizes, but
also pairs those vendors with highly regarded information security researchers.
Through this pro bono, coupled approach, BuildItSecure.ly is able to translate
research and knowledge transfer into real security improvements that will
impact the entire product line of participating vendors.


Proposed Solution


Additionally, Mark also participates in the Online Trust
Alliance’s IoT Working Group10, which is developing the “IoT Trust Framework”
to provide clear guidance to vendors on expectations of both privacy and
information security features for their products.

Vendors that utilize this framework will have a set of
minimum boundaries for how their products and related services should handle
the data and trust being provided to them by their customers. By establishing
this framework, vendors can be confident in how to approach tough design and
implementation choices that produce high quality, secure, and affordable






Rapid7 is a leading provider of security data and analytics
solutions that enable organizations to implement an active, analytics-driven
approach to cyber security. We combine our extensive experience in security
data and analytics and deep insight into attacker behaviors and techniques to make
sense of the wealth of data available to organizations about their IT
environments and users. Our solutions empower organizations to prevent attacks
by providing visibility into vulnerabilities and to rapidly detect compromises,
respond to breaches, and correct the underlying causes of attacks. Rapid7 is
trusted by more than 4,150 organizations across 90 countries, including 34% of
the Fortune 1000. To learn more about Rapid7 or get involved in our threat
research, visit www.rapid7.com.


I'm Mary!

Would you like to get a custom essay? How about receiving a customized one?

Check it out