McAfee Researchers Exploit Smart Plug to Attack Smart TV!
Researchers from McAfee have demonstrated how a flaw in a Belkin smart switch can be used to access other connected devices on the same network as the switch.
One of the recurrent themes of Internet of Things security might be summarized as “its not the THING, stupid!” In other words: the value of the individual endpoint is irrelevant. A webcam, a baby monitor, a connected TV – none of these, by themselves, hold much sensitive information or represent much computing power. Rather, it is the value of the things in aggregate, or their ability to open a path to other, more valuable things that matters.
Now new research from McAfee is putting that to the test, by demonstrating how a flaw in a Belkin smart switch can be used to access other connected devices on the same network as the switch.
In a recent blog post, McAfee said that it has uncovered a buffer overflow flaw in a component of the Wemo Insight Smart Plug that could allow an attacker to run his or her own code on the device and use it to access and attack other devices on the same network as the smart plug.
The vulnerability, CVE-2018-6692, is in a software library known as “libUPnPHndlr.so.” The process McAfee used to discover it is lengthy and complex, with researchers disassembling and reverse engineering the Wemo Insight Smart Plug. If you want a nice write up on how to do this, including tool talk and photos, check out their blog post.
For everyone else, what’s important to know is that Wemo Insight plugs are just tiny little Linux devices, running the OpenWRT embedded Linux OS – and not a very stripped down version of OpenWRT either. The researchers found two exploitable vectors on it: a write-what-where condition allows an attacker to write data to an arbitrary location in memory; by continuing to overwrite data on the stack, an attacker can overwrite the $RA register or return address for the calling function, providing the attacker control of the execution flow.
By using Linux commands left enabled on the smart plug, the researchers found they were able to download and execute any script, run NetCat, which could allow an attacker to write a script to create a reverse shell on the device. While attacks to the device itself are limited to turning the device on or off, the potential damage grows where the plug is networked with other devices. “The plug could now be an entry point to a larger attack. Later in this report, we will look at one possible attack,” the McAfee researchers concluded.
To prove that point, the McAfee researchers developed a proof of concept attack in which a compromised plug used a built-in UPnP library to poke a hole in the network router, creating a backdoor channel for an attacker to connect remotely, unnoticed on the network.
With that access, the researchers were able to use a remote shell to control a TCL smart TV connected to the same network as the Wemo plug by exploiting a Roku API implementation on the TV that accepts unencrypted and unauthenticated HTTP GET/POST requests. “Using the Wemo as a middleman, the attacker can power the TV on and off, install or uninstall applications, and access arbitrary online content,” the researchers found.
And smart TVs are just one visible example of how the Wemo plug could be used to pivot to other devices on a network. “With the attacker having established a foothold on the network and able to open arbitrary ports, any machine connected to the network is at risk. Because attacks can be conducted through the Wemo and the port mappings generated using this exploit are not visible from the router’s administration page, the attacker’s footprint remains small and hard to detect,” the researchers concluded.
This isn’t the first time that Wemo products have been the focus of security researchers. At the 2017 Security of Things Forum, Scott Tenaglia of the firm Invincea revealed a number of security flaws in Wemo home automation devices including vulnerability to a type of attack known as SQL injection. By sending purposely mis-formed updates to WeMo devices, Tenaglia found he could create his own malicious executable that was run by the WeMo smart device, allowing him to take control of those devices.
- Outside IR 35 contract- Threat & vulnerability analyst - SC CLEARED UK REMOTE
6 month rolling contract Outside IR35- immediate start. Threat and Vulnerability Analyst. Tenable.sc experience needed. The ability to deploy agent, configure environments, run active and passive scans, produce reports and prioritise remediation activities based on output Current and ACTIVE clearance is required
- Chief Information Security Officer- CISO. London
Chief Information Security Officer (CISO) is needed to join a senior leadership team that is driving change across a London based FTSE business. You will have responsibility and accountability to define and execute an information & Cyber Security strategy. To be successful you should have the following experience; Experience defining, presenting and executing against your information AND cyber security strategy. Experience delivering / managing functions across information security GRC / Audit and technical Cyber Security capabilities. Senior stakeholder management to the executive committee. Embedding Info / cyber security within a Cloud focused environment. Further develop, expand and mature the information / cyber security function | team. Be able to regularly commute to London Financial services experience is desirable. If this sounds like an opportunity you are interested in then please use the below form to schedule a call. This is an exclusive project to DCL Search. All conversations are kept in confidence.
- IAM Business Analyst- ForgeRock
- European Union
- £500 per day
IAM Business Analyst with ForgeRock experience is need for a 12 months contract The client is in the middle of a large scale ForgeRock deployment and the BA will sit between the technical teams and the business helping to ensure the project is a success You will need to be a strong business communicator and have experience of mapping business needs against ForgeRock features This will be a remote project dealing with teams in different geographies, you must have strong English communications skills and be happy working remotely and able to be proactive to ensure your side of the project is a success
- Java Developer
- United Kingdom
- upto £55,000 plus good benefits
Home based opportunity for an experinced Java Developer to become involved in a number of large scale national IAM projects Duties include · Development and maintenance of source code for our customers IAM deployments · Have a good understanding of testing frameworks and methodologies and are able to test solutions within you own work and others · Ability to create clean code according to good coding standards · Create easy to follow documentation You don' need to have experience within the Identity Access Management space but it would be beneficial we are looking for people with · Java experienced ideally Java 11 · preferably experience in some of the following: Maven, Gradle, PHP, Lua scripting, C#, Spring Boot/Spring, OGNL, or Groovy · experience of working with one or more of: creating/consuming REST APIs LDAP SQL encryption Identity Protocols (SAML, OAuth, OIDC, SCIM etc) · good knowledge of development methodologies with regards to the end user experience For more details please send your CV and we will come back to you