Russians, Fancy Bears, and IoT Security
During the 2019 Black Hat conference in Las Vegas, a big announcement from Microsoft was all the buzz regarding IoT security, Russians, and Fancy Bear. It was discovered after extensive research that a significant discovery regarding device security was made.
The announcement explained more in-depth how a Russian hacker group targeted standard IoT devices with the end goal of a widespread attack on corporate networks. They executed these attacks by using standard devices that have been overlooked for a long time.
Microsoft reported that in April there were attacks carried out by the hacker group who calls themselves Strontium, also Fancy Bear or APT28. They have been active in targeting common IoT devices like VoIP phones and printers. The group has continued to grow and be a prominent and active threat to security since 2007.
Basic IoT Security Begins with a Firmware Analysis
Strontium has been targeting common IoT devices such as VOIP phones and printers. By gaining access to these devices that still have their default password such as “password” and “admin,” yet connect to networks that can become infiltrated using these simple devices. This gives the ability to gain access to corporate systems and work their way through to more sensitive information. Industries affected include think tanks, politically affiliated organizations, military, education, and healthcare, to name a few. The main aim of the hacker group and targets have yet to be determined.
We sat down with ReFirm Labs co-founders, Terry Dunlap, and Peter Eacman to discuss their thoughts on the recent announcement from Microsoft.
Here is what they had to say:
On a scale of 1 to 10 (with 10 being the most serious), how worried should people be about these kinds of attacks on IoT devices?
Terry Dunlap: “This is a 10, no doubt. IoT security is the most pressing issue in cyber-security today. The most vulnerable? Connected devices. They are susceptible to attacks because of flaws and vulnerabilities in firmware."
“It takes just one firmware weakness for bad actors to gain access to an IoT device and then use that attack surface to compromise the integrity of an entire network.”
Peter Eacmen: “It depends entirely on your risk profile — although the average person largely doesn’t care because this won’t have a direct impact, enterprises should pay very close attention to the implications for these attacks. As Terry said, the warning sign for enterprises is blinking red. Companies need to take notice… fast.”
In this case, did the attackers find a new way into IoT devices?
Terry Dunlap: “These attacks weren’t sophisticated or particularly clever at all. Attackers took advantage of default usernames and passwords, which are very easy to guess. Sometimes, they used outdated firmware with well-known vulnerabilities. In the cybersecurity world, it’s elementary stuff.”
Peter Eacmen: “By all indications, if the targeted organizations had put minimal effort into securing their IoT devices, this attack would never have been possible. This is a case of winning more than half the battle by being aware of the potential threats.”
What enterprises are most at risk for IoT attackers?
Terry Dunlap: “Any enterprise that does not have complete visibility into the many IoT devices plugged into their networks and that are public-facing is most at risk for an IoT attack.”
Peter Eacmen: “Any company that deploys IoT without regard for basic security practices is at high risk for an attack like the one Microsoft uncovered. Consider every unsecured IoT device to be an unlocked front door to your network.”
Which kinds of IoT devices are most susceptible to attacks, in your experience?
Terry Dunlap: “In our work at ReFirm Labs, we find a lot of suspect stuff in surveillance cameras, WiFi routers and printers, especially in tech products coming from China.”
Peter Eacmen: “Any device that is remotely accessible over the internet is a legitimate target for attackers. Remember, the goal is not to attack the IoT device itself, but to use it as a jumping-off point for malicious behavior. This can include DDoS attacks, malware distribution, spamming/phishing, and credit card theft.”
If an enterprise takes just one or two measures today to defend from this kind of attack, what should they be? Moreover, how much would these steps cost?
Terry Dunlap: “Step one: Compile an inventory of IoT devices on your network. Step two: Upgrade the firmware on your IoT devices and change the default passwords. Both are inexpensive to do.”
Peter Eacmen: “I agree with Terry. Having a clear picture of IoT deployments in your network and making sure all your IoT devices have been updated from the original factory install, and default factory settings are the best two, immediate steps to take.”
IoT Security Analysis at the Firmware Level is Critical
Peter and Terry both previously worked at the National Security Agency (NSA) as Global Network Vulnerability Analysts before co-founding ReFirm Labs, an industry-leading group focused on implementing programs to help corporations vet, validate, and continuously monitor the security of the firmware which runs billions of Internet of Things (IoT), consumer electronics, and connected enterprise machines used in offices all around the world.
The ReFirm Lab team is dedicated to keeping all aspects of enterprises secure, including IoT devices. Contact us today and learn how we can help you ensure there are no hidden vulnerabilities to your firmware and sensitive information. Contact us now!
Part 4 of our series on firmware security analysis focuses on how to exploit the vulnerability Evan discovered in his analysis of the camera firmware.
Source code analysis produces a large amount of “false positive” results, which is one of the biggest complaints we hear against source code analyzers.
In part two of our firmware analysis, we discovered a potential overflow in the administration server, alphapd. It appears if you send a long string in the WEPEncryption field to wireless.htm, it can cause a buffer overflow.