McAfee Researchers Exploit Smart Plug to Attack Smart TV!
Researchers from McAfee have demonstrated how a flaw in a Belkin smart switch can be used to access other connected devices on the same network as the switch.
One of the recurrent themes of Internet of Things security might be summarized as “its not the THING, stupid!” In other words: the value of the individual endpoint is irrelevant. A webcam, a baby monitor, a connected TV – none of these, by themselves, hold much sensitive information or represent much computing power. Rather, it is the value of the things in aggregate, or their ability to open a path to other, more valuable things that matters.
Now new research from McAfee is putting that to the test, by demonstrating how a flaw in a Belkin smart switch can be used to access other connected devices on the same network as the switch.
In a recent blog post, McAfee said that it has uncovered a buffer overflow flaw in a component of the Wemo Insight Smart Plug that could allow an attacker to run his or her own code on the device and use it to access and attack other devices on the same network as the smart plug.
The vulnerability, CVE-2018-6692, is in a software library known as “libUPnPHndlr.so.” The process McAfee used to discover it is lengthy and complex, with researchers disassembling and reverse engineering the Wemo Insight Smart Plug. If you want a nice write up on how to do this, including tool talk and photos, check out their blog post.
For everyone else, what’s important to know is that Wemo Insight plugs are just tiny little Linux devices, running the OpenWRT embedded Linux OS – and not a very stripped down version of OpenWRT either. The researchers found two exploitable vectors on it: a write-what-where condition allows an attacker to write data to an arbitrary location in memory; by continuing to overwrite data on the stack, an attacker can overwrite the $RA register or return address for the calling function, providing the attacker control of the execution flow.
By using Linux commands left enabled on the smart plug, the researchers found they were able to download and execute any script, run NetCat, which could allow an attacker to write a script to create a reverse shell on the device. While attacks to the device itself are limited to turning the device on or off, the potential damage grows where the plug is networked with other devices. “The plug could now be an entry point to a larger attack. Later in this report, we will look at one possible attack,” the McAfee researchers concluded.
To prove that point, the McAfee researchers developed a proof of concept attack in which a compromised plug used a built-in UPnP library to poke a hole in the network router, creating a backdoor channel for an attacker to connect remotely, unnoticed on the network.
With that access, the researchers were able to use a remote shell to control a TCL smart TV connected to the same network as the Wemo plug by exploiting a Roku API implementation on the TV that accepts unencrypted and unauthenticated HTTP GET/POST requests. “Using the Wemo as a middleman, the attacker can power the TV on and off, install or uninstall applications, and access arbitrary online content,” the researchers found.
And smart TVs are just one visible example of how the Wemo plug could be used to pivot to other devices on a network. “With the attacker having established a foothold on the network and able to open arbitrary ports, any machine connected to the network is at risk. Because attacks can be conducted through the Wemo and the port mappings generated using this exploit are not visible from the router’s administration page, the attacker’s footprint remains small and hard to detect,” the researchers concluded.
This isn’t the first time that Wemo products have been the focus of security researchers. At the 2017 Security of Things Forum, Scott Tenaglia of the firm Invincea revealed a number of security flaws in Wemo home automation devices including vulnerability to a type of attack known as SQL injection. By sending purposely mis-formed updates to WeMo devices, Tenaglia found he could create his own malicious executable that was run by the WeMo smart device, allowing him to take control of those devices.
- Head of Penetration Testing
- United Kingdom
Head of Penetration Testing needed to join a security consultancy that are delivering client facing penetration testing services around Web app and Infrastructure. Looking for someone hands on that is able to manage a highly skilled technical team of testers. 50-60% of the time is expected to be hands on, other duties will include, but not be limited to; leading and managing the day to day running of the team, mentoring, team upskill, recruitment, reporting, escalation, process improvement etc. Flexible location although south east is preferred. Anyone with Check / CREST experience is highly desirable. MUST be able to achieve SC clearance. UK based role. All details kept in confidence.
- CONTRACT SOC Manager. London / Birmingham. URGENT Immediate role.
REF7847 Contract SOC Manager. SC cleared, London / Birmingham. Initial 3 month Contract. SOC Manager needed to for an URGENT 3-4 month CONTRACT. SC clearance is essential. The project is to aid in the setup, implementation and management of resources to help with the initial stand up stages of a new SOC within a greenfield site. This is a short term contract role whilst a permanent hire is brought on over the coming 3 to 4 months. Experience engaging with and managing client stakeholder relationships as well as 3rd party relationships is critical. The role will involve; setting up, implementing and fine tuning the various initial stages of a SOC environment. Experience establishing and building out technical process / operational capability, managing of technical teams (analysts, engineers and architects, creation of policy / playbooks, fine turning is key. SPLUNK is the tooling of choice… Interviewing immediately. Set up a call with me today on https://calendly.com/chris-holt/arranged-call-with-chris-holt-remote-soc-role Direct contact details Chris.Holt@dclsearch.com or 07884666351
- SPLUNK Level 3 SOC Consultant, SIEM Splunk, London / Birmingham
REF CH7825 Level 3 SOC Consultant, SIEM Splunk, London / Birmingham £55,000 + Level 3 SOC Consultant, SIEM SPLUNK needed. Security Clearance. Permanent role Level 3 SOC Consultant, SIEM SPLUNK needed to join a public sector client. The ability to achieve SC clearance is essential. MUST have experience working with SPLUNK ideally to an Advanced Power User level. Splunk Enterprise Security (ES) knowledge and hands on experience highly desirable. The role will include, but not be limited to; managing and handling incidents end to end, supporting and mentoring level 1 / level 2 staff, supporting the SOC manager in the delivery of the SOC roadmap, engaging with the client stakeholders (other technical teams) as and where needed, use case development, advanced search and reporting etc. The individual MUST currently be living in the UK and be able to achieve UK security clearance. (SC) This is a permanent role To arrange a call with Chris Holt use this calendy link https://calendly.com/chris-holt/arranged-call-with-chris-holt-remote-soc-role Chris.Holt@dclsearch.com
- Aspiring Cyber Partner. Business lead, market maker.
Aspiring Cyber Partner (management consultancy) with Cyber specialism into Healthcare, Utilities and or Public Sector. Working with new and existing clients to help them solve, transform or evolve their cyber capabilities. MUST have; A proven management consultancy background in cyber. A history of identifying and closing new business opportunities. Currently Revenue generating / must be able to demonstrate recent wins. Client facing to board level with international businesses. Team leadership / mentoring experience. Extensive cyber industry experience. Digital transformation, Start-up environments etc. Experienced presenter at industry events, to be the public face of a business / capability. Breadth of knowledge across Cyber security. Service definition / creation. Would consider a senior director with experience delivering the above looking to step up. All conversations kept in confidence. To arrange a discreet call book a time to speak in my diary via https://calendly.com/chris-holt/cyber-partner-call Chris.Holt@dclsearch.com