IoT Flaws Reveal Need to Work with Researchers

Two new vulnerabilities within IoT devices could have given cyber-criminals direct access to the personal data and home networks of consumers, according to McAfee Labs.

At the Mobile World Congress (MWC) in Barcelona, Spain, McAfee’s advanced threat research team revealed new vulnerabilities in both BoxLock and Mr. Coffee coffee makers, demonstrating the need for consumers to be aware of the cyber risks inherent in the connected devices they bring into their lives.

BoxLock, a smart padlock designed to protect deliveries, reportedly had a vulnerability that enabled hackers to remotely unlock the device. Researchers revealed that they were able to open BoxLock using the built-in barcode scanner using Bluetooth Low Energy (BLE), a wireless technology used in many IoT and smart devices.

“I was amazed; the phone that I used to send the GATT command over had never connected to the BoxLock before and did not have the BoxLock application installed, yet it was able to unlock the BoxLock,” wrote Sam Quinn, security researcher, McAfee.

Researchers applauded the response they received from BoxLock. “Vulnerability disclosure can be a challenging issue for any company to deal with, but BoxLock was incredibly responsive, easy to work with and immediately recognized the value that McAfee ATR had provided.”

The second vulnerability revealed at MWC was within the Mr. Coffee coffee makers, which reportedly gave hackers a backdoor to access home networks. Researchers said that in the coffee makers with WeMo, they were able to make changes to the brewing schedule. The researchers were even able to write their own commands through a hole in the firmware, which was reportedly the result of coding issues.

“I had the ability to upload any template of my choice and have it pass all the WeMo’s verification steps necessary to be used by a scheduled rule. I appended a new template called 'hack' and added a block of code within the template to download and execute a shell script,” wrote Quinn.

“Now, I sat back and waited as the coffee maker (at my specified time delay) connected to my computer, downloaded my shell script and ran it. I verified that I had a reverse shell and that it ran as intended, perfectly. This vulnerability does require network access to the same network the coffee maker is on. Depending on the complexity of the user’s password, WiFi cracking can be a relatively simple task to accomplish with today’s computing power.”

Both vulnerabilities demonstrate that not all exploits are overly complicated or require an exceptional amount of effort to pull off. As a result, vendors and researchers need to be able to work together to mitigate the risks to consumers.

“Cyber-criminals are relentless, and as long as we continue to connect devices to the internet, they will continue to search for ways to exploit them,” said Raj Samani, McAfee fellow and chief scientist in a press release.

“Vulnerability disclosures can be frightening for both the consumers using connected devices and the organizations that create them; however, the process is an essential component of creating a safer future. Cybersecurity researchers, businesses and consumers working together to expose and eliminate these vulnerabilities keeps us all a step ahead of the bad guys.”

What’s hot on Infosecurity Magazine?