Skip to main content
banner image
venafi logo

Who’s Securing Your IoT Security Cams? [Encryption Digest 27]

Who’s Securing Your IoT Security Cams? [Encryption Digest 27]

IOT security
January 17, 2020 | Katrina Dobieski

With so much smart technology to protect us, are we taking the basic precautions of securing it? Recent and ongoing mishaps with the Amazon Ring lead to more scrutiny in the area of smart home devices, with findings being dismal at best. As we look to require multi-factor and certificate-based clearance in our homes, hackers are exploiting our pocketbooks with legitimate TLS-certified domains from abroad. Credit fraud, especially from spoofed sites with real certificates, is at an all-time high in the Ukraine, and one hacking group finally paid the price.

And, Trend Micro sighted the first active attack on a Use-After-Free vulnerability, but the breadcrumbs might track back to Israeli spy agencies. How the black hats may be leading in the fight to encrypt, and how our IoT breaches and credit card scams are telling us - it might be time to take a page from their book.  


The Irony of IoT Security Cams

You buy a smart camera to properly secure your home. Too bad nobody took the time to properly secure your camera.

There have been over 300 incidents of breach with the Amazon Ring indoor cam—most notably, a hacker spewing racial epithets through the mounted device of an 8-year-old, communicating with her in her bedroom and insulting her mother.

This is not why we bring smart things into our homes.

You’d assume that with such privileged access to our most valuable assets (presumably in the home, presumably why we’d want a camera in the first place), security would be a key selling feature, or at least a key priority. It seems that it is not.

You can access your Ring account with about as much ease as logging into your Gmail account from a friend’s laptop. No multi-factor authentication. No certificate-based authentication. Just a username and password combo that has been systemically abused. By their own admission, Amazon has left its users open to “credential stuffing” attacks (breaching another system, stealing a user’s credentials and using them across platforms). Use of static credentials creates a petri dish for these kinds of attacks. Also in play were leaked WIFI credentials and a puzzling vulnerability that allowed a user to stay logged in to the Ring after the password was changed.

Now that IoT is no longer “new technology,” excuses dwindle for its negligence in security. Commendably, regulatory agencies like the FDA are implementing IoT safety standards across some verticals, but it seems the technology has far outstripped its security. When the companies producing these smart appliances are leaders in technology and innovation, the case becomes even more curious.

Until then, Amazon suggests enabling two-factor authentication.

Related posts


How Long Has This Been Going On? Ukrainian Hacking Group and Long Tail Damage

How do you tell a real online retail store from a fake? The fake will almost always have a real TLS certificate.

The problem is so ubiquitous that in the Ukraine alone there were nearly 80,000 cases of payment card fraud in 2018, not in small part owing to the number of typosquatted domains. Primary targets? The twenty top US retailers. Macy's was a hot target last year, although the method of attack was on their own website, surprisingly.

 A little less than a month ago, Ukrainian police finally cracked down on a hacker group out of the Kharkiv region that was responsible for its fair share of extortion. On its rap sheet was the notoriety of hacking 20,000 private servers worldwide. And then came all the rest.

The compromised servers were part of an international business, being hawked to foreign buyers or used to create botnet mercenaries, used for DDoS attacks, data mining or weaponizing fraudulently installed software command centers. It was all bad.

Unfortunately, this group worked both sides of the counter and moonlighted as a sort of investment agency as well, circa 2014—setting up fake call centers and throwing clients’ stock market “investments” (made through their bogus website) into their own private accounts. With their scale of enterprise, it’s worth wondering if they might not have been more successful at the real thing. In any event, this side hustle earned them a cool 100K per month, and they were one of many to capitalize off what can only be termed a Ukrainian card fraud epidemic.

So, are consumers getting more gullible or are fraudsters just getting better? Probably the second one, although it helps to keep savvy. A primary reason for the believability of these spoofed domains is the prevalence of legitimate TLS certificates on the Dark Web. With data surpassing oil in value, and machine identities now worth more than human ones, it’s no wonder the internet has a thriving economy for SSL/TLS certs. Just make sure they aren’t yours.

And think twice before answering any Ukrainian investment calls.

Related posts

First Use-After-Free Vulnerability Caught In The Wild 

Late summer of last year, Google was hunting the Sidewinder bug. Early this year, researchers at Trend Micro finally caught it being actively exploited. The find is the first of its type. And researchers were able to trace the length of malicious activity—from last March up until their recent discovery—based on the date their digital certificates were created. Cybercriminals are getting more and more wily about misusing machine identities in their attacks. It’s reassuring that threat researchers are keeping pace.  

Here’s what we know. There was a set of three malicious apps on the Google App Store that, when working together, were designed to exploit the Linux kernel and siphon user data. If you were browsing, you would have seen what looked like inauspicious “photography and file manager tools.” The attack, among other things, takes advantage of Binder flaw CVE-2019-2215, which can be used to gain root privileges in Android. Binder is Android’s primary Inter Process Communication System.

The attack stands out for two reasons.

The first is just strong suspicion, but interesting. One of the three apps in question, a photography app called Camero, uses command and control servers suspicioned to belong to Sidewinder, a hacking group with a history of profiling Palestinian targets. In November, Google floated Israel’s NSO group as being linked to the vulnerability.

Secondly, with Trend Micro’s find, this is the first known active attack in the wild that uses the use-after-free vulnerability, an exploitation of memory after it has been freed, in some cases allowing for remote code execution.

The good news is that it was only downloaded 10 times. We’ll be grateful that the adversary’s marketing skills were less sophisticated than its attack attempts.







Related posts


Like this blog? We think you will love this.
Featured Blog

With Rapid Rise in Funds Stolen from DeFi Protocols, Private Keys in Play

Massive heist begins with

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more