Two research reports remind us this week that the consumer device market is a cesspool of insecure plastic garbage. These are the devices in your users’ home networks—the same users who are working from home and connecting back into your organization.
Yes, yes—they’re using a company VPN, but “defense in depth” demands better. If WFH is now SOP, then why not stand up a red team to attack your users’ home networks?
You know it makes sense. In this week’s Security Blogwatch, we give thanks.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: All the school kids so sick of books—they like the punk and the metal band.
No going back from WFH
What’s the craic? Katie Grant[s] us an audience—Tests performed on a variety of smart doorbells exposed a host of flaws that could be exploited by criminals:
Households hoping to tighten security are actually at risk of installing devices that can be easily switched off, stolen or hacked, research has found. … Tests on a variety of smart doorbells available via Amazon Marketplace and eBay, some of which closely resembled in-demand models such as Amazon Ring or Google Nest [found] a host of flaws that can enable cybercriminals to access users’ sensitive data.
…
Of the 11 devices tested, two … possessed a “critical vulnerability” that could allow cybercriminals to steal the network password. [They were] found to send customers’ home WiFi name and password unencrypted to servers in China. … Several of the doorbells came with weak and easy-to-guess default passwords. … Use of default passwords would be illegal under proposed Government legislation.
…
Amazon said: “We require all products offered in our store to comply with applicable laws and regulations and have developed industry-leading tools to prevent unsafe or non-compliant products from being listed.” Ebay said: “When a product is listed that violates our safety standards, we remove the listing straight away. These listings do not violate our safety standards.”
Yikes. Auntie Beeb adds—Smart doorbells are 'easy target for hackers':
Amazon has removed at least seven product listings in response to the findings. [eBay] said the flaws … "should be addressed with the seller or manufacturer."
…
Among the most common flaws were weak password policies, and a lack of data encryption. [Amazon’s] current number one bestseller in smart doorbells, the Victure Smart Video Doorbell … could be manipulated to steal network passwords and then hack other … devices within the home.
Let’s hear from the horse’s mouth. Martin Pratt of Which? worries—All 11 doorbells we tested demonstrated high-risk security issues:
Popular models, such as Ring and Nest doorbells, are expensive, but scores of similar looking devices have popped up on Amazon, eBay and Wish at a fraction of the price. They look similar and promise comparable features, but Which? worked with expert cybersecurity researchers, NCC Group, to find that some of these devices have serious vulnerabilities. … many of which had scores of 5-star reviews, were recommended as ‘Amazon’s Choice’, or on the bestseller list.
…
Among the most common flaws were weak password policies, and a lack of data encryption. [Amazon’s] current number one bestseller in smart doorbells, the Victure Smart Video Doorbell … could be manipulated to steal network passwords and then hack other … devices within the home.
…
There are certain things you can look out for when you’re shopping or setting one up, too. Look at the brand. If you haven’t heard of the brand, or there’s no brand at all, then you should be cautious. … Check the reviews. As our fake reviews investigations have shown, you can’t always trust the reviews. [So] look out for negative ones in particular. … Change the password. This is true of any internet-connected device. … Keep it up to date. Software updates are rarely about adding features. … Check the settings … and update the app used to control it. Set up two-factor authentication. This isn’t always available, but if it’s an option then be sure to enable it.
So, what can be done about the products? Return them! CamelCaseName KnowsTheJargon: [You’re fired—Ed.]
NCX (Negative Customer Experience) is the metric in question.
…
Enough returns relative to other products in its category will first get the listing temporarily removed. And then permanently removed, if issues continue.
Or it sounds like a job for a VLAN. But m2pc says yes, meaning no:
Yes, but you'd still have to worry who was doing what with the data once it left your guest network/vLAN. Nobody really knows what happens to their video and audio data once it leaves their network and gets stored/shared by unknown entities.
And syntaxing feels uncomfortable:
I get uncomfortable how this is probably true with all these smart TVs as well (especially the budget TVs). I set up piHole to try to prevent this.
…
It sucks because all our electronics get poisoned since good brands get squashed out by these low cost alternatives that consumers love at the expense of privacy that no one cares about anymore. Also, another crazy thing is ISP provided routers. I was unable to change the DNS on my modem/router, let alone change the security settings.
Speaking of insecure routers, Mantas Sasnauskas, James Clee, and Roni Carta speak vicariously through Bernard Meyer—Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors:
[The backdoors] would allow an attacker the ability to remotely control not only the routers, but also any devices connected to that network. … We have also found evidence that these backdoors are being actively exploited, and there’s been an attempt to add the devices to a Mirai botnet.
…
multiple Wavlink and Jetstream devices have now been shown to be affected. In fact, all of the devices that [we] analyzed were found to contain backdoors. … While Jetstream has an exclusive deal with Walmart, and is sold under other brand names like Ematic, there is very little information available about which Chinese company actually produces these products. … Wavlink is a technology company based in Shenzhen. … Is “Jetstream” Winstar’s American brand? [Its] listed address is the same as Wavlink’s. … This leads us to believe that Winstars is the owner of both Jetstream and Wavlink brands.
…
With this backdoor … the malicious actor can monitor and control all traffic coming through that router. … It’s like having a city as big as New York, and all those millions of doors are wide open. … Someone is definitely going to try to get into those houses and those apartments and try to steal whatever they can.
…
The best thing to do then, if you have one of these vulnerable Jetstream/Wavlink devices, is to stop using them and buy a router from a reputable company. … It might be a good idea to … clean your computers, reset the passwords of the computers and online accounts, and so on.
Yikes (again). There’s a place for regulation, thinks Canberra1:
Where is the FCC when you need them, and Class Action lawyers forcing an expensive consumer product recall? Not fit for purpose, hidden and latent defects may work in some consumer friendly states.
Where is the … admin/admin nonsense going to be stopped. And Cisco beat all others and had undeclared userids at multiple levels. … Anyway, find that receipt and take it back.
But who is legally liable? The domestic vendor, as far as wegs can tell:
As far as I can tell, that's the company who imported and sold it. If Amazon and Walmart are liable, I won't need to worry about fake Sandisk memory cards, fake medicines, fake clothing, and other fake products there. I'd love that.
Couldn’t the law be stronger? The IoT Cybersecurity Improvement Act has just made it through both houses of the US Congress, but it only regulates government spending. And this Anonymous Coward knows how that goes:
The US government previously mandated OSI networking in its own procurement, and later, IPv6. Neither appears to have had a huge impact.
Meanwhile, zenlessyank cuts to the chase:
Dumbass doorbells for dumbasses. I see absolutely no issue.
The moral of the story?
Audit the equipment your users use in their working-from-home networks. You’re going to have to keep up with the security status of that too, and mandate replacement of devices that can’t be secured.
And finally
Trigger warnings: MF-bomb, moshpuppet, cops in the doughnut shop (all of them).
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s zomgsauce: Dillon Shook (via Unsplash)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
