Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

Sabotaging Common IoT Devices in Smart Buildings by Exploiting Unencrypted Protocols

Daniel dos Santos, Head of Security Research at Vedere Labs | July 30, 2019

The Internet of Things (IoT) revolution presents a multitude of new cybersecurity challenges stemming from the rapid increase in the number of devices in most organizations’ networks. These devices are mostly unmanaged, come from a multitude of vendors, use non-standard operating systems, support a diversity of, often unencrypted, protocols, and may dynamically connect to other devices inside or outside the organization’s network.

Smart buildings perfectly exemplify a scenario where IT and OT are converging and where IoT devices are proliferating. Devices in a smart building communicate with each other to share environmental status, such as temperature or the presence of people, or to exchange commands, such as switch lights on or off. With the advent of the IoT, sensors, actuators, controllers and many other devices like smart lighting and surveillance cameras have become much cheaper and far easier to install. In addition, they now offer remote management via wired or wireless connections.

However, these IoT devices often lack security features, which means that vulnerabilities are discovered with increasing frequency. Additionally, bad security practices such as default or simple credentials, unencrypted traffic and lack of network segmentation remain common. As the scale and diversity of IoT devices grow, cybersecurity becomes an important focal point for any organization.

Take modern surveillance cameras as an example. Out of the box they come with weak protocols such as Telnet, FTP or SSDP enabled by default. They often use the unencrypted real-time transport (RTP) and real-time streaming protocol (RTSP) to stream video and are typically installed, configured and deployed by personnel that has little or no knowledge of cybersecurity. While this was an acceptable risk only a few years ago, today it could easily become a critical business risk. This is because, as described in our previous research on smart building security, IT and OT are converging, so devices like surveillance cameras can now be used as an entry point to reach more critical assets like a device controlling physical access to a restricted area.

To better understand the level of risk that IoT devices might introduce, the Forescout Research Team has investigated how surveillance cameras, smart lights, and other IoT devices could be attacked by cybercriminals and how to mitigate those attacks with a cybersecurity strategy based on device visibility and control. The research was carried out by analyzing devices from vendors commonly used in enterprise settings. The full report details all the attacks we performed in our lab (spoiler alert: we leverage the insecure HTTP protocol to manipulate Philips Hue smart lights and we show how MQTT – one of the most popular protocols for IoT communications– can be used to disrupt the IoT system itself).

This blog post focuses on exploiting the common practice of using unencrypted protocols for video streaming, and replacing a camera’s real-time footage with pre-recorded content. When unencrypted protocols are exploited in cyber-physical systems, its not just information being exchanged but also inputs from and outputs to the physical world, which is the case for most IoT devices.

Sabotaging an IoT Device: Footage Replay on IP Cameras

The main goal of this simulated attack was to demonstrate how easy it is to exploit unencrypted video streaming protocols to prevent a security operator from seeing the actual footage of a surveillance camera.

Like a scene from a heist movie, we replaced the actual video stream with one previously recorded, to simulate what could happen in critical facilities like airports and hospitals, where compromising the video surveillance system may be the first step of a physical intrusion.

The attack was successfully carried out in just four steps (a video with the demo of the attack is available here:)

  1. Perform a man-in-the-middle attack on the network, using ARP poisoning, to be able to sniff and change passing traffic.
  2. Capture the network traffic containing camera footage and record it for replay.
  3. Force the camera to end its current session with its associated network video recorder (NVR) by replacing a GET_PARAMETER request, which is normally used as a heartbeat to keep the connection alive, with a TEARDOWN request, which is used to terminate the session.
  4. The next time the NVR requests a new session to the camera, capture this request and modify the specified client port. This makes the camera send its video to the port specified by the attacker. Since the NVR will not receive any video, it will try to set up a new connection again, so the attacker can send the footage recorded in Step 2 to the NVR.

To reduce the risk of an attack like this, there are alternatives to securing RTP/RTSP sessions, such as using SRTP or RTP over transport layer security (TLS). Unfortunately, these secure alternatives are not always available in IoT devices, are almost never configured by default, and are many times not enabled by the end users, who generally do not have all the knowledge required to secure RTP sessions in the first place. In a similar situation, there are secure alternatives to HTTP, FTP, and Telnet, although these protocols are still widely used in IoT devices.

A quick Shodan query from July 18, 2019 revealed 4,657,284 devices with cleartext RTSP exposed on the Internet, mostly from China (572,740), followed by the United States (411,850) and Brazil (391,122).

As mentioned above, the other attacks described in the report affect the Philips Hue smart lighting system and the MQTT protocol. A Shodan query for Philips Hues shows 9,300 exposed systems, with 3,408 in the United States, 730 in Canada, and 727 in Germany. Out of those, 5,804 (62%) are using the insecure protocol HTTP. As for MQTT, we can find on Shodan 76,768 exposed devices, with 19,368 in China, 13,515 in the United States, and 4,798 in Germany.

Evolving Cybersecurity Strategy for the Age of IoT

This simulated cyberattack is just one example of a potential cyber incident that may go unnoticed in the sea of IoT devices and network traffic in an organization.

The security challenges presented by these devices are forcing organizations to rethink their cybersecurity strategies. Legacy security solutions are not enough to secure today’s networks because either they are unsupported by embedded devices or they are incapable of understanding the network traffic generated by these devices.

In the age of IoT, new solutions are required. Security teams must have complete visibility and enhanced control over all the assets in their network. Given the volume and diversity of devices, visibility should be fully automated. Given the range of applicable security solutions, like device compliance, network segmentation, and incident response, control must be efficiently orchestrated. One possible solution for increasing visibility, control, and orchestration is to adopt an advanced network monitoring tool that raises immediate alerts when new devices appear on the network, anomalous communications are detected or dangerous operations are performed over the network.

To learn more about our research into how IoT devices can be leveraged as an entry point to a building’s network, where legacy OT assets, IT systems and IoT devices all intersect, download the full report.