Diary of an IoT hacker: I know what you ate last Sunday23 July 2018
I spy with my little eye, something beginning with ‘R’…
13:31 – Roast potatoes, with chicken, broccoli, carrots – but no gravy. That was John’s first mistake. But not his last. I am sure he is called John, at least that’s what I remember his wife calling him. Watching him cook is like an episode of MasterChef. While he is a whizz in the kitchen, he’s a bit clueless about information security.
I am watching him right now from his laptop. He’s reading a recipe pinched from Google. I am reading his facial expressions via his webcam while he wonders whether to cook spaghetti bolognaise or jerk chicken.
John’s webcam connects directly to his WiFi network (these are usually called IP cams) – it has a video feed and a settings page that is secured by a username and password. The good thing is, like many other people, John didn’t bother to change his login from the default settings.
03:14 – I was going to call it a night, but then I noticed John had installed one of those fancy Samsung smart fridges. Very cool. He’s filled it with so many types of cheese. I spy, with my little eye… Camembert, Red Leicester, Jarlsberg and, eww; no, Stilton. Even better, there are his Google credentials.
See, while this fridge encrypts communications, it doesn’t validate who it is talking to. I can sit in on the conversation, including those made to Google’s servers, in a man-in-the-middle attack, to download calendar data for the on-screen display. I can hack John’s fridge from his back garden or my car parked on his road. Credentials just waiting to be snatched.
08:29 – John’s wife just left a note on the fridge’s on-screen display… What does it say? I spy, with my little eye…”John, don’t forget to pick up some Petit Filous for Lucy when you go shopping later – take my credit card. My PIN is 7361.” So, it’s Lucy then? Hmph, I always thought she looked like a Natalie.
They’ve just bought her one of those internet-connected teddy bears. They are so popular because they allow parents and kids to exchange messages. I spy, with my little eye… Ah yes, the manufacturer has left the default password exposed online – and this family hasn’t changed it. Once connected via Bluetooth, I can send and receive messages. I only need to be standing within ten meters of the teddy. The toy’s firmware isn’t encrypted. I can overwrite it easily. Hmm, I can pretend to be Ted the teddy and ask her what time mummy and daddy usually go to work. That way I will know when the house is empty and sell that juicy info on the dark web. Or maybe I can break in and steal all their fancy stuff myself.
Maybe I will tell her to put Ted in the lounge, so I can eavesdrop on the meeting they’re having at home with their mortgage advisor on Friday. I’ll make her promise not to tell her parents about our conversations. I’ll say, ‘otherwise the magic will fade away, and Ted will lose his ability to speak.’
They spoil her rotten; it’s not fair. My parents just plonked me in front of the television. Grandstand, Antiques Roadshow and Cash in the Attic. That’s what I remember. I swear my mum treated that television like an unpaid babysitter. A five-channel guardian. I did love that ol’ telly. Though, it’s not as nice as this family’s. They’ve got a shiny new 3D Smart TV.
What they fail to realise is that Smart TVs are basically just computers without any antivirus software. They have USB ports, operating systems and capabilities no different from a smartphone. But, unlike smartphones, they rarely require any authentication. Because John and his family don’t change any of their default passwords, this means that I can hack their television and manipulate what the viewer is watching. In fact, I haven’t tested that functionality yet. Shall I give it a go?… Yep – it works!
Though maybe next time I won’t show an adult movie when he has his in-laws over.
23:56 – Now I am writing an app – available from third-party app stores near you. Smart TVs have built-in app stores you see. I will try to convince John to download my app – and I can then infect their devices with malware. Hopefully, I will have the same luck I had with my SMS phishing attack.
I sent a text to John’s phone pretending to be from Apple. I advised him that his Apple ID was due to expire, and he needed to update it via a link or risk losing his services and apps. I watched him through his webcam, staring at the text, it was a tense moment for me, I will not lie.
But he gave me what I needed. Once he submitted his login credentials, I had access to his bank details – and his photographs. He travels a lot with his family. I must ask him what he thought of Paris. I’ve been meaning to go.
15.00 – Ooh, I spy, with my little eye, big match! I think I will join him…
Do your employees recognise the importance of secure behaviour and do they understand the work practices they need to adopt? Over the years we’ve helped engage thousands of employees with awareness campaigns utilising a variety of creative devices.