Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

IBM says embedded device security is almost nonexistent

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

February 11, 2016

IBM isn't mincing its words when it says that the overall security on embedded devices is a real joke.

An IBM-led security penetration testing team has thoroughly owned an enterprise building management network in a free assessment designed to publicize the almost nonexistent state of embedded device security, especially when it concerns IoT (internet of things).

Big Blue's X-Force team consists of Paul Ionescu, Jonathan Fitz-Gerald, John Zuccato, and Warren Moynihan, along with Akamai engineer Brennan Brazeau.

The team conducted the tests on an unnamed business with multiple offices spread over a few countries.

The team owned several buildings through the internet-facing building automation system which sported a controller, sensors and several thermostats.

"We could take control of the individual building system, but also gain access to a central server which could extend control to several other geographically dispersed buildings," the team wrote in a report.

The hackers say they found exposed various administration ports in the company's first building, gaining access to a D-Link panel enabled to allow remote monitoring, and an environmental reporting web server used by the building controller device.

The team say that "By adding an extra carriage return after the page request, it was possible to totally bypass the router’s password authentication."

They also found several command injection security vulnerabilities in the router and found a list of commands in the firmware source code.

Then they discovered a cleartext password in the router's var directory that not only granted more router access but, thanks to password-reuse, allowed them to compromise the building management system.

"Had the router password been encrypted or if a different password had been used, it would have been much harder to access the building automation controller," the team asserted.

The building's automation system server used a different password and so the hacking team turned to Google and found the embedded device software ran diagnostic pages allowing for command execution.

Some URL 'flipping' led to remote code execution and a configuration file contained within coughed up the softly-encrypted admin credentials.

"To prevent such an attack, keys should be dynamically generated based on device characteristics, meaning attackers would need complete access to the system to be able to decrypt the password," the team wrote in their report.

For its part, the building automation system vendor says the service should not be exposed to the internet and therefore did not patch the device (!)

The final step required the hackers to drive to the company's parking lot to get around the admin's IP address whitelisting set on the building automation system server.

The D-Link was whitelisted so the team used the previously stolen credentials to log into the wireless system.

System admins should always ensure that IoT devices are fully patched; that IP addresses are whitelisted; that firewalls are up; that unnecessary remote access is down and disabled, and that passwords are unique and replaced at least once a month.

Source: IBM X-Force Security Team.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer