McAfee Researchers Exploit Smart Plug to Attack Smart TV!
Researchers from McAfee have demonstrated how a flaw in a Belkin smart switch can be used to access other connected devices on the same network as the switch.
One of the recurrent themes of Internet of Things security might be summarized as “its not the THING, stupid!” In other words: the value of the individual endpoint is irrelevant. A webcam, a baby monitor, a connected TV – none of these, by themselves, hold much sensitive information or represent much computing power. Rather, it is the value of the things in aggregate, or their ability to open a path to other, more valuable things that matters.
Now new research from McAfee is putting that to the test, by demonstrating how a flaw in a Belkin smart switch can be used to access other connected devices on the same network as the switch.
In a recent blog post, McAfee said that it has uncovered a buffer overflow flaw in a component of the Wemo Insight Smart Plug that could allow an attacker to run his or her own code on the device and use it to access and attack other devices on the same network as the smart plug.
The vulnerability, CVE-2018-6692, is in a software library known as “libUPnPHndlr.so.” The process McAfee used to discover it is lengthy and complex, with researchers disassembling and reverse engineering the Wemo Insight Smart Plug. If you want a nice write up on how to do this, including tool talk and photos, check out their blog post.
For everyone else, what’s important to know is that Wemo Insight plugs are just tiny little Linux devices, running the OpenWRT embedded Linux OS – and not a very stripped down version of OpenWRT either. The researchers found two exploitable vectors on it: a write-what-where condition allows an attacker to write data to an arbitrary location in memory; by continuing to overwrite data on the stack, an attacker can overwrite the $RA register or return address for the calling function, providing the attacker control of the execution flow.
By using Linux commands left enabled on the smart plug, the researchers found they were able to download and execute any script, run NetCat, which could allow an attacker to write a script to create a reverse shell on the device. While attacks to the device itself are limited to turning the device on or off, the potential damage grows where the plug is networked with other devices. “The plug could now be an entry point to a larger attack. Later in this report, we will look at one possible attack,” the McAfee researchers concluded.
To prove that point, the McAfee researchers developed a proof of concept attack in which a compromised plug used a built-in UPnP library to poke a hole in the network router, creating a backdoor channel for an attacker to connect remotely, unnoticed on the network.
With that access, the researchers were able to use a remote shell to control a TCL smart TV connected to the same network as the Wemo plug by exploiting a Roku API implementation on the TV that accepts unencrypted and unauthenticated HTTP GET/POST requests. “Using the Wemo as a middleman, the attacker can power the TV on and off, install or uninstall applications, and access arbitrary online content,” the researchers found.
And smart TVs are just one visible example of how the Wemo plug could be used to pivot to other devices on a network. “With the attacker having established a foothold on the network and able to open arbitrary ports, any machine connected to the network is at risk. Because attacks can be conducted through the Wemo and the port mappings generated using this exploit are not visible from the router’s administration page, the attacker’s footprint remains small and hard to detect,” the researchers concluded.
This isn’t the first time that Wemo products have been the focus of security researchers. At the 2017 Security of Things Forum, Scott Tenaglia of the firm Invincea revealed a number of security flaws in Wemo home automation devices including vulnerability to a type of attack known as SQL injection. By sending purposely mis-formed updates to WeMo devices, Tenaglia found he could create his own malicious executable that was run by the WeMo smart device, allowing him to take control of those devices.
- Cloud Channel Manager
- Up to £75,000 Base dependant on experience + Double OTE
A Cloud Channel Manager is needed for a Leading Cloud Service Provider in London due to increased customer demand. The Cloud Channel Manager will be primarily responsible for rebuilding & protecting current accounts and also new logo sales into the channel e.g. Value Added Resellers (VAR) / Managed Service Providers (MSP), SI etc. Requirements Current experience selling Cloud technology such as AWS / Azure into the channel Over achieved on sales targets. Long tenure (3/4 years+) in current and previous positions. Reference Number: PG7419
- Business Development Manager (Public Sector)
- Up to £75,000 Basic + Double OTE (Commission is uncapped and subject to accelerators)
One of our clients who are a leading service provider in London are looking for a Public Sector focussed Business Development Manager. The Business Development Manager (Public Sector) will be selling from a portfolio of managed ICT services and cloud services to prospects within the public sector focusing on central government, healthcare, university’s The portfolio will cover flexible end to-end managed services, UC, cloud, hosting and SDWan. Preference will also be given to Business Development Manager (Public Sector) who satisfy the following criteria: Over achievement of new business sales targets 5 years of experience in selling at least two of these; managed services, UC, Azure, AWS, SDWAN etc. New Business Background is a must in central government, healthcare or universities In return you will be working for a company that is growing over 25% organically year on year with excellent sales support and a great senior leadership team. Reference Number: BD7410
- Google Cloud Architect
- Up to £90.000 base plus bonus
We have a very urgent requirement for Google Cloud Architect for one of the reputed clients who are a fast growing GCP partner. The Google Cloud Architect will leverage Google Cloud technologies, designs, develops, and manages robust, secure, scalable, highly available, and dynamic solutions to drive business objectives. This will require all dimensions of cloud architecture including: Building, migrating and testing GCP environments and integration with other providers Build, design and implement scalable cloud-based web applications for PaaS, IaaS or SaaS. Provide thought leadership for cloud developer technology and collaborate with cross-functional engineering teams to streamline or improve adoption of Google Cloud Platform. This position will be located in London, United Kingdom. Unfortunately our client are unable to sponsor for this opportunity Reference Number: ES7411
- Solutions Consultant (Telecoms, SDWAN, IOT, WAN, Hosted services)
- Up to €90,000 plus car, bonus and benefits
Solutions Consultant is required to help lead a number of key client Migrations projects for this tier 1 Telecom company, the main role for the Solutions Consultant is helping customers migrate to new services, with a focusing on hosting (AWS, Azure) SDWAN and IOT You will be responsible for Post sales design documentation, implementation and migration of complex solutions for managed enterprise customers. Complex solutions consist of multi-product services. The TDA’s role is to ensure that these services interoperate and integrate into the customer environment. Such products consist of but not limited to MPLS, Ethernet, IPSec VPN’s, VoIP, Video Conferencing, Wireless, Internet, Private DSL, WAN Optimization, Managed Security Services, Managed Hosting, SDWAN and Complex Migration Planning. The TDA will own the technical delivery of customer solutions and will be the technical interface between the customer, product teams and project management during service delivery. Close engagement with pre-sales, technically validating solutions proposed are deliverable and all technical aspects are clearly defined prior to contract signature. The TDA accepts technical ownership of the solution at the point of contract signature. Lead customer facing technical workshops requiring excellent communication with the ability to articulate technical concepts clearly to all levels of competency. Providing support to 3rd line teams for OEM and design related faults. You will need to be at CCIE level (ideally CCIE R&S or SP ) with strong low level design and deployment skills, comfortable in front of customers and leading customer meeting Knowledge in SDWAN and Hosted services would be advantageous Reference Number: RA7413