Researchers have uncovered two critical vulnerabilities in the TV-streaming EZCast device that can lead to remote code execution, and point to more general weaknesses in Internet of Things (IoT) security.
EZCast is an HDMI dongle-based TV streamer that is both remote-free and cross-platform (running on Android, iOS, Mac, and Windows). The device enables a user to stream media content from the web or their mobile device onto a television.
According to Google Play, the EZCast app has been downloaded by as many as five million users.
Check Point Software Technologies has issued a report in which its researchers explain how they were able to hack the EZCast dongle. As it turns out, it was relatively easy to get in.
“Entering the network via the dongle was extremely easy, as the device runs its own Wi-Fi network. This network is secured only by an 8 (numeric) digit password with WPS enabled by default (and is easily cracked). A successful brute-force attack on WPS allows unauthorized parties to gain access to the network.”
Check Point’s researchers go on to explain that malicious actors could also use two other attack vectors, the web (dependent on the user’s settings) and a social engineering attack via email/Facebook/Skype etc…, to gain access to the device.
Once inside, Check Point’s researchers found that the device created a bridge to the user’s Wi-Fi network. In order to remain persistent in the network, they then loaded up the device’s firmware and searched through the available file system.
Before long, the researchers had discovered two critical vulnerabilities. The first was in a file called “upload.cgi” that allows an attacker to upload a malicious CGI file anywhere on the device disk, including to the cgi-bin directory.
“This will fully compromise the device and enable us to stay persistent (once again, without requiring authentication),” the researchers observe.
The second critical vulnerability involves the use of a file called “windir.cgi,” which accepts IP addresses, usernames, and passwords under one GET parameter, to remotely inject code into the device.
A proof-of-concept attack developed by the researchers revealed that they could remotely inject a shell command into the device’s system() function and produce the string “root”.
“This research provides a glimpse of what will be the new normal in 2016 and beyond – cyber criminals using creative ways to the exploit the cracks of a more connected world,” said Oded Vanunu, security research group manager, Check Point, reported CNN Money. “The Internet of Things trend will continue to grow, and it will be important for consumers and businesses to think about how to protect their smart devices and prepare for the wider adoption of IoT.”
Check Point says that it first informed EZCast of the security vulnerabilities in July 2015, but received no response. It tried again in August 2015, but still received no response. Frustrated by the lack of communication, tthe researchers have now decided to go public and conclude their report in damning fashion:
“The EZCast device was never designed with security in mind. We were able to uncover a number of critical vulnerabilities, and we barely scratched the surface. Would you sell a root shell in your network for $25 dollars? Because that’s what you’re essentially doing when you buy and use this device.”
They go on to urge researchers and IoT security vendors to work together to not only report vulnerabilities but also design devices like EZCast with security in mind.
I could not agree more. Blind enthusiasm for “smart” everythings continues to play a major role in driving the Internet of Things. We as security personnel need to treat IoT as something that can be actively exploited.
Here is a video by Graham Cluley, describing the threat posed by insecure Internet of Things devices:
If we keep an eye out for vulnerabilities, the onus will shift to vendors to either keep security in mind or risk ridicule at the hands of a customer breach. It begins with us, but the choice is ultimately theirs.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.