Last week at Kaspersky Lab’s Security Analyst Summit (the SAS), there was a lot of cool research that made you think. Although a lot of talks centered on deep APT research and threats to businesses, there were a few sessions where consumer security was shown to be at risk as well.
One such talk was given by Jan Hoersch, an IT security consultant at Securai GmbH, on vulnerabilities he had discovered in connected Internet of Things (IoT) devices. During the 20-minute talk, four out of seven of the most flawed products mentioned were travel routers.
We have written about hotel Wi-Fi before. It is not always 100% secure, so smart travelers use a travel router to get an additional layer of security as well as the convenience of not having to hook up all of their devices to the hotel’s Wi-Fi network.
Travel routers mainly get positive, even glowing, reviews on sites like Amazon, but you’ll rarely find the word security mentioned in the reviews.
The password is root… and you can't change it – Jan Hoersch #thesas2017 pic.twitter.com/xNjYAWa43V
— Kaspersky (@kaspersky) April 4, 2017
To consumers, it seems, convenience has a far greater appeal than being safe and secure. Who cares if your devices are pwned when you can stream Netflix despite the hotel blocking it?
Putting the last sarcastic comment aside, the sad reality (as, again, we have covered in the past) is that security is not the number one priority when it comes to launching an IoT product.
With the routers, Hoersch told the crowd, “You often find hardcoded passwords. Most of the time they’re just there to be exploited, like a backdoor.”
What exploits did he find?
For starters, one of the routers could send across user data (user name, SSID, admin password) in plaintext — all an attacker would have to do is send an SMS message to the router and wait for the info to be sent back. Others included LAN port vulnerabilities, easily manipulated settings, and also the ability to inject malicious, unauthenticated commands. In short, things you probably don’t want snooping around your Web traffic or connected to your computer.
So, the question remains: What can I do to protect myself?
- Do your research. This does not mean simply reading reviews on Amazon for end-user reviews. Go to technology sites and read the technical details or Google the device and security flaws.
- Check if you can change the default password. Add this to your research phase or at least investigate it when you initially set up the device. As Hoersch noted in his talk, many devices have hardcoded passwords. If you find this to be the case with your device, see point #3 and think about reassessing the purchase and options for exchange.
- Determine your risk level. This will be different for each user, but in reality security is up to the individual. If you feel that your antivirus product and your personal security protocol are strong, you may be willing to take a higher risk. However, if you use Password1234 as your default or share your password across multiple networks, you may want to reassess (and think about a password manager).