Tag Archives: Internet of Things

Blog Post Shout-Out March 2020

With ransomware attacks continuing to be prevalent if you have an unaffected backup you won’t need to pay the ransom. However, how you backup your data (how many copies do you create?), the software you use and how it is configured can all make a difference.

Recommendation for how to create your corporate backups and how to better secure it are provide in the following article (which also includes details gathered from ransomware operators).

Ransomware Attackers Use Your Cloud Backups Against You by Lawrence Abrams (Bleeping Computer)

In previous posts I have provided recommendations for better securing Internet of Things (IoT) devices, to re-emphasise the basic steps, I also wish to provide a respectful shout-out to the following article highlighting the publication of guidance from the UK National Cyber Security Centre (NCSC):

UK NCSC Releases Tips on Securing Smart Security Cameras by Sergiu Gatlan (Bleeping Computer)

Full-disclosure: I am not affiliated or sponsored by Bleeping Computer in any way. I simply wish to more widely highlight good advice on topical security issues.

Thank you.

Vulnerability Within Philips Hue IoT Devices Disclosed

If you use Philips Hue lightbulbs and/or the Philip Hue bridge, please make certain they are using the most recent firmware available.

While the technological benefits and added convenience of Internet of Things (IoT) (defined) devices are well known, their increasing functionality/complexity is leading security researchers to target them. A recent example is the high severity vulnerability reported to Signify (owner of the Philips brand) within the Philip Hue bulbs and bridge. The vulnerability has been designated CVE-2020-6007 (defined)

How severe is this vulnerability?
While this vulnerability is of high severity it requires significant user interaction and would also require that the affected Philips Hue lightbulb be already compromised by an attacker by installing malicious firmware on it. The Philips Hue app on the victim’s smartphone is used to controls the bulbs, the attacker could then convince the victim to remove and re-add the bulb to the app.

What is the result of exploiting this vulnerability?
While the compromised bulb is being added or “commissioned” the compromised firmware of the bulb is used to exploit the Philips Hue Bridge. Once complete the attacker can then laterally traverse (defined) the victim’s business or home network by exploiting known vulnerabilities of other devices on the network e.g. the Microsoft Windows EternalBlue vulnerability on a Windows system.

How can I protect my organisation or myself from this vulnerability?
If you use Philips Hue lighting with the Hue Bridge, please update both the lighting and bridge to the most recent firmware available. Version Firmware 1935144040 (Bridge V2) and Software version: 1.65.9_hB3217DF4 for lights and later address this vulnerability. Please also strongly consider placing IoT devices such as these on segmented networks e.g. guest wireless networks for WiFi devices and VLANs (defined) for wired devices.

In this instance, the Hue Bridge could be placed on a VLAN to increase security (namely if the device is exploited it cannot be used to traverse further into your network). However, this increased security may result in reduced functionality if not implemented correctly.

Thank you.


The Dark Side of Smart Lighting: Check Point Research Shows How Business and Home Networks Can Be Hacked from a Lightbulb

What are IoT devices?

What is EternalBlue?

What is lateral movement (pivoting)?

What is a VLAN?

How to isolate a VLAN containing IoT devices

Philip Hue Firmware Release Notes

Potential Privacy and Security Issues of Virtual Assistants Highlighted Again

In late October security researchers published details of proof of concepts exploits affecting smart home devices e.g. Amazon Echoes (known as Amazon Alexa) and Google Home. These techniques allow for eavesdropping on conversations and the obtaining of passwords from users.

Why should these proofs of concepts be considered significant?
The proof of concept apps used by the researchers passed both Amazon’s and Google’s app validation processes and were briefly available to the public. Further modifications to the apps did not require a validation by either vendor.

The researchers demonstrated how their app can mislead a user into believing the smart device is no longer listening (and recording) when in fact it is.

Amazon Echo
For an Amazon Echo the device was made to keep listening by changing the de-activation intent (a phrase that can have values (words) within it to carry out custom actions. Instead the de-activation routine does not stop the device from recording you. This was done in a way that the owner of the Amazon Echo would not know anything was wrong since they will still hear the device speak “Goodbye” message. This was achieved by adding a Unicode (defined) character sequence (U+D801, dot, space) to the end of the intent sequence. Since these characters cannot be pronounced (and heard) by the device silencing the speaker but keeping the app active in order eavesdrop on a conversation. By adding more characters, the time can easily be extended.

Eavesdropping using the Amazon Echo is demonstrated in the following video from the SRLabs researchers:


Phishing a Password
To phish a password the researchers simply added an audible message in place of some of the unpronounceable characters to simply ask the user for their password by first telling them a security update for app is available and to supply the password to install the update. The researchers demonstrated the ability to convert the spoken sentence into text and send it to their proof of concept server. This is demonstrated in the following video:


Google Home
To perform the same actions with Google Home the researchers put the user into a loop and were able to capture recognised speech as text without alerting the user of the Google Home to this being carried out. This time the researchers used multiple “noInputPrompts” with SSML elements or the Unicode characters again to capture whatever is being spoken.

This is demonstrated in the following video:


Phishing a Password
This was carried out using the same technique as for the Amazon Echo above. This is demonstrated in the following video:


How can I protect my smart speaker / virtual assistant from these vulnerabilities?
Unfortunately, as the purchaser of these devices there is no action you can carry out to prevent these techniques being used against you. Instead the responsibility lies with Amazon and Google. They need to improve their app validation processes, as per the researcher’s findings:

“To prevent ‘Smart Spies’ attacks, Amazon and Google need to implement better protection, starting with a more thorough review process of third-party Skills and Actions made available in their voice app stores. The voice app review needs to check explicitly for copies of built-in intents. Unpronounceable characters like “U+D801, dot, space. “ and silent SSML messages should be removed to prevent arbitrary long pauses in the speakers’ output. Suspicious output texts including “password“ deserve particular attention or should be disallowed completely.”

My thanks to the SRLabs researchers who explain what needs to be done by the vendors to remediate these issues.

The well-known security researcher Karsten Nohl provides his informed opinion on this issue and how we should treat our usage of these devices.

Proof of concept attacks using laser beams
Smart speakers use specific microphones known as microelectro-mechanical systems (MEMS) microphones to convert the voices they hear into electrical signals they can understand and process. Such microphones however also respond to the application of light to them as proven by academic researchers who user lasers to have the devices call out the time, order a laser pointer online, set the devices volume to zero and open a garage door (or potentially the front door of a house).

What are the limitations of this technique?
The aiming of the laser can be imprecise which limits its distance and may also inadvertently hit other smart speaker devices. The researchers used a telescope, a telephoto lens and a tripod to focus the beam and to provide accurate timing.

Further limitations are detailed in this BleepingComputer article. My thanks to them for this detail and for the descriptions of this technique.

They also detail methods by which the owner of the smart speaker could be alerted to this technique being used to exploit it: “the victim may be alerted by the visibility of the light beam, unless infrared is used – but additional gear is necessary in this case, and the audio response from the target device confirm execution of the command”.

Both Amazon and Google provided statements that they are analysing the results of this research and are working with the researchers to improve security.

Thank you.

Security of Selected IoT Devices Tested

The current level of security present in Internet of Things (IoT)(defined) devices continues to be low and is in need of further maturity and consideration given to security and best practices.

A recent study carried out by researchers from Brazil’s Federal University of Pernambuco and the University of Michigan found that 31% of the apps (equating 37 out of 96 devices tested) used to control the IoT devices used no encryption while a further 19% used hard coded encryption keys (which can’t be changed). An attacker may be able to reverse engineer these.

The researcher then developed proof of concept attacks against five devices which are controlled by four apps:

Belkin’s WeMo for IoT
Broadlink’s e-Control app
TP-Link’s Kasa app
LIFX app used with that company’s Wi-Fi enabled light bulbs

From these 3 used no encryption while three apps communicated via broadcast messages that can provide an attacker a means of monitoring the nature/contents of the app to device communication. The researchers elaborated “A remote attacker simply has to find a way of getting the exploit either on the user’s smartphone in the form of an unprivileged app or a script on the local network”.

For the TP-Link Smart Plug which was reviewed more than 10k times on Amazon shares an encryption key across a given product line while the initial set up is performed using the app without strict authentication.

How to secure your IoT devices:
The researchers pointed out that Google’s Nest thermostat app was a better example of how security should be done. Its configuration can be carried out over TLS to the cloud or via Wi-Fi with WPA. This app also offers 2 factor authentication (defined) (albeit only via SMS messages which are themselves not best practice).

However, the Nest and any IoT rely on you to practice good security e.g. not re-using passwords for researching how best to secure that device. This story linked to is an example of what can happen if you don’t:

Further tips on securing IoT devices are listed provided below with a further tip of “Track and assess devices” from CSO Online. Devices such as Amazon Echo, Apple HomePod and Google Home require even more steps (final link below):

7 tips for securing the Internet of Things by Chester Wisniewski (Sophos Security)

8 tips to secure those IoT devices by Michelle Drolet (CSO Online)]

Securing the Internet of Things (US-CERT)

9 things to check after installing wireless access points by Eric Geier (Computerworld)

Securing Your Smart TV

Increasing the privacy and security of virtual assistants

Thank you.

DNS Flag Day Aims to Make DDoS Attacks Harder

Since the 1st of February multiple major DNS (defined) resolvers removed resolver workarounds. The resolvers involved in the initiative include ISC, Cloudflare, Facebook, Cisco, Google (among others).

The workarounds were removed to stop DNS queries not compliant with the following official Requests for Comments (RFC) 1035 and 2671 from being completed(resolved). In more depth; the DNS Flag day page explains these workarounds are being removed due to:

The current DNS is unnecessarily slow and inefficient because of efforts to accommodate a few DNS systems that are not in compliance with DNS standards established two decades ago.

To ensure further sustainability of the system it is time to end these accommodations and remediate the non-compliant systems. This change will make most DNS operations slightly more efficient, and also allow operators to deploy new functionality, including new mechanisms to protect against DDoS attacks.

It appears that DNS amplification and DNS flood attacks are the threats attempting to be mitigated with these changes. A full list of the types of DDoS (defined) attacks is available from the following Cloudflare page (at the end of that page):

It will be interesting to see the effect of these changes on the DNS infrastructure when it is again targeted by botnets (defined) (e.g. made up of Internet of Things (IoT)(defined) or compromised systems or by other means. Such botnets can make use a command and control (C2) (defined) infrastructure.

Thank you.

VPNFilter: Overview and removal

Update: 24th October 2018:
Researchers from Cisco’s Talos team have discovered further capabilities of this malware. As detailed below the 3rd stage of the malware features:

Provides plugins for the RAT (defined below in the original post) to extend its functionality.

However, the team was able to determine the following extra capabilities:

  1. Packet sniffing (obtain information from passing data packets (defined) on a network connection)
  2. JavaScript (defined) injection used to deliver exploit (a small piece of software used to trigger a known vulnerability to the advantage of an attacker) to a compromised device (most likely a router).
  3. Encrypted tunnelling (defined) to hide data the malware steals as well as the existing command and control data traffic.
  4. Creating network maps (defined)
  5. Remote connection/administration via SSH (Secure Shell)(defined)
  6. Port forwarding (defined)
  7. Create SOCK5 (defined) proxies (defined)
  8. DDoS (defined)

The good news about this malware is that from the Talos team’s research it does not appear that any malware samples remain active. However; they caution it is not possible to assume that this malware has finished its malicious actions and the possibility of its return remains.

Thank you.

Update: 20th June 2018:
If you would prefer a video or a podcast of how to remove this malware from your router, this Sophos blog post provides links to both. The video is hosted on Facebook but a Facebook account isn’t required to view it. Sophos also provide an archive of previous videos on the same Facebook page.

Thank you.

Update: 6th June 2018:
The Cisco Talos team have provided an updated list of known affected routers. I have added these to the list below with “(new)” indicating a new device on the existing list. I have also updated the malware removal advice to provide easier to follow steps.

Thank you.

Original Post:
In late May; a strain of malware known as VPNFilter affecting routers from the vendors listed below was publicly disclosed by the Cisco Talos team:

Affected vendors:
Asus RT-AC66U (new)
Asus RT-N10 (new)
Asus RT-N10E (new)
Asus RT-N10U (new)
Asus RT-N56U (new)
Asus RT-N66U (new)
D-Link DES-1210-08P (new)
D-Link DIR-300 (new)
D-Link DIR-300A (new)
D-Link DSR-250N (new)
D-Link DSR-500N (new)
D-Link DSR-1000 (new)
D-Link DSR-1000N (new)
Huawei HG8245 (new)
Linksys E1200
Linksys E2500
Linksys E3000 (new)
Linksys E3200 (new)
Linksys E4200 (new)
Linksys RV082 (new)
Linksys WRVS4400N
Mikrotik CCR1009 (new)
Mikrotik Cloud Core Router (CCR) CCR1016
Mikrotik CCR1036
Mikrotik CCR1072
Mikrotik CRS109 (new)
Mikrotik CRS112 (new)
Mikrotik CRS125 (new)
Mikrotik RB411 (new)
Mikrotik RB450 (new)
Mikrotik RB750 (new)
Mikrotik RB911 (new)
Mikrotik RB921 (new)
Mikrotik RB941 (new)
Mikrotik RB951 (new)
Mikrotik RB952 (new)
Mikrotik RB960 (new)
Mikrotik RB962 (new)
Mikrotik RB1100 (new)
Mikrotik RB1200 (new)
Mikrotik RB2011 (new)
Mikrotik RB3011 (new)
Mikrotik RB Groove (new)
Mikrotik RB Omnitik (new)
Mikrotik STX5 (new)
Netgear DG834 (new)
Netgear DGN1000 (new)
Netgear DGN2200
Netgear DGN3500 (new)
Netgear FVS318N (new)
Netgear MBRN3000 (new)
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
Netgear WNR2200 (new)
Netgear WNR4000 (new)
Netgear WNDR3700 (new)
Netgear WNDR4000 (new)
Netgear WNDR4300 (new)
Netgear WNDR4300-TN (new)
Netgear UTM50 (new)
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
TP-Link TL-WR741ND (new)
TP-Link TL-WR841N (new)
Ubiquiti NSM2 (new)
Ubiquiti PBE M5 (new)
UPVEL Unknown Models* (new)
ZTE ZXHN H108N (new)

Why should this malware be considered important?
The authors (thought to be a group funded by a nation state) of this malware are using it to hijack vulnerable routers (500,000 are known to have been compromised across 54 countries) for possible use in cyberattacks against the Ukraine. Indeed, the malware more recently began seeking out Ukrainian routers specifically. The Ukrainian Secret Service issued a security alert on this on the 23rd of May.

The malware has the ability to do so by utilising previously publicly disclosed (defined) vulnerabilities to gain access and persistence (namely remaining present after the router is powered off and back on) within these routers. Last week the FBI took control of this botnet and are now working to clean up the affected devices.

The malware is very sophisticated and can persist within a router even if the router is powered off and back on (becoming the second malware to have this ability, the first being the Hide and Seek botnet). The malware is made up of 3 stages:

Stage 1: Is responsible for the persistence (mentioned above).
Stage 2: Providing the capabilities of a remote access Trojan (RAT)(defined)
Stage 3: Provides plugins for the RAT to extend it’s functionality.

The malware also has the capability to do the following:

  1. Wipe the firmware (see Aside below for a definition) of routers rendering them useless
  2. Inspect the data traffic passing through the router (with the possible intention of obtaining credentials passing over the wire to gain access to sensitive networks)
  3. Attempt to locate ICS/SCADA devices (defined) on the same network as the router by seeking out port 502 traffic, namely the Modbus protocol (defined) with the option of deploying further malware
  4. Communicate via the Tor network (definition in the Aside below).

How can I protect my devices from this malware?
The FBI are asking anyone who suspects their internet router to be infected to first reboot it (turn on and off the router). This will cause an infected device to check-in with the now under FBI control C&C (command and control, C2 (defined) server to provide them with a better overview of the numbers of infected devices.

To completely remove the malware; reset the device to factory defaults (this won’t harm a non-infected either but please ensure you have the necessary settings to hand to re-input them into the router, your internet service provider (ISP) will be able to help with this). This will remove stage 1 of the malware (stage 2 and 3 are removed by turning the router on an off).

To prevent re-infection: Cisco Talos’ team recommendations are available from this link. Moreover the US CERT provide recommendations here and here. Symantec’s recommendations are provided here (especially for Mikrotik and QNAP devices).

Further advisories from router manufacturers are as follows (their advice should supersede any other advice for your router model since they know their own devices the best):


Further recommendations from Sophos are:

  • Check with your vendor or ISP to find out how to get your router to do a firmware update.
  • Turn off remote administration unless you really need it
  • Choose strong password(s) for your router
  • Use HTTPS website where you can

A very useful and easy to follow step by step walk through of removing this malware by BleepingComputer is available from this link with useful guidance for multiple router models.

Thank you.

New VPNFilter malware targets at least 500K networking devices worldwide : Cisco Talos team

What is firmware?
Firmware is semi-permanent embedded software code that allows a device to carry out its function by having the low-level hardware carry out useful sequences of events.

What is The Onion Router (Tor)?
The Onion Router (Tor) is an open source (defined) project with the goal of protecting your privacy by passing your web browsing activity through a series of anonymous relies spread across the internet. These relays act like proxy servers which encrypt and randomly pass the traffic they receive from relay to relay.

This web of proxies is sometimes referred to as the Dark web (a portion of the internet only accessible using the Tor network). This makes tracing the source of the source almost impossible.

Increasing the privacy and security of virtual assistants

With the growing number of consumers choosing to add smart speakers to the devices within their home; attackers will likely begin to leverage this trend for their own nefarious purposes. Moreover, there has recently been an example of how these devices can inadvertently breach your privacy. Adding to this; security researchers have already demonstrated vulnerabilities showing that unintended actions are possible.

Researchers from Indiana University in Bloomington, the University of Virginia and the Chinese Academy of Sciences recently demonstrated the following vulnerabilities and their affects leading to Amazon and Google evaluating possible fixes or working on ways to mitigating them:

Scenario 1: Smart speaker has a 3rd party app “skill” installed which accepts an activation phrase (“Alexa” [follow by your choice of words]) very similar to other legitimate apps. It has the potential to hijack the connection

Scenario 2: Using a rogue skill; an attacker can eavesdrop on conversations and simulate returning control to a legitimate skill but instead carry on to gather further sensitive information from the user. Recent research carried out has had about 50% success with impersonating legitimate skills.

Scenario 3: Previous research back in April involved creating a skill that purposely fails to terminate after hearing the activation phrase

What steps can I take to make these attacks more difficult?
The advice below will not only make your device more secure but will also safeguard your privacy by ensuring data is not stored by the smart speaker vendor over a long period of time:

Amazon Echo Devices:

Google Home Firmware Versions:

Apple HomePod:

Update: 14th August 2019
Amazon have introduced a privacy setting to allow people to opt-out of their Amazon Echo “Alex” recording being reviewed by human listeners:

Accessible from “Settings”, click on the Alexa Privacy link, and choose “Manage How Your Data Improves Alexa”.

The following guide details how to delete past Amazon Echo recordings:

Apple HomePod List of Privacy Features

Data security & privacy on Google Home

Some tips to guard your privacy while using the Amazon Echo

Some further steps to take to better secure your Amazon Echo

Apple releases its first HomePod software update, but no AirPlay 2 or pairing

Amazon Echo: Complete list of commands