Week after week we’ve documented how internet of things devices are being built with both privacy and security as a distant afterthought, resulting in everything from your television to your refrigerator creating both new attack vectors and wonderful new surveillance opportunities for hackers and state actors. And CIA leaks have indeed confirmed that “smart” TVs and other devices with embedded microphones make for wonderful surveillance tools.
So it’s not too surprising to see Microsoft’s Security Response Center proclaim this week that it has caught Russian hacking group “Strontium” (aka Fancy Bear and APT28) using poorly secured printers, VoIP phones, and video decoders to gain access to sensitive networks. As is usually the case, Microsoft found that once these devices’ security was bypassed (often an easy feat given there’s sometimes little to no security measures in place), they were able to use them as a beach head to gain broader access to the networks they were connected to:
“After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.”
In at least two instances, the hacks were only made possible thanks to hardware shipping with default username and password logins, something that has frequently plagued residential routers as well. Just as unsurprising as the hack was Microsoft’s warning that this is a problem that’s only going to get worse, regardless of the government or organization pulling the strings:
“While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives,” the report noted. “These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments.”
As security researchers like Bruce Schneier have long noted, there’s some severe market failure driving this dysfunction. Companies don’t want to spend money on security and privacy standards as they connect everything under the sun to the internet, and by the time vulnerabilities are discovered, they’re off to selling the next big thing. Because the devices often don’t provide insight into what they’re doing, consumers routinely have no idea what the device is even doing on the network. And by the time vulnerabilities are addressed, consumers are off to buy the next big thing (with equally terrible security holes).
Year after year after year, we’re connecting millions upon millions of devices to home and business networks with paper-mache grade security. And while there’s some fleeting efforts to address the problem (like incorporating flaws into product reviews), it’s still not something folks are taking seriously enough. And while such proclamations are often dismissed as hyperbole, it’s something folks like Schneier predict isn’t likely to change until these vulnerabilities result in some notable human casualties.