Daniel Miessler

Account Harvesting as the Most Serious IoT Vulnerability

June 2, 2015
#cybersecurity #technology
shodan-vnc

The Internet of Things introduces significant security risk because it takes objects and machines and systems that used to be private and puts them online so that people can interact with them.

What could go right?

The biggest concern is really that these systems, when placed on the internet, can be accessed by billions of people, programs, and other systems. They’re just out there, ready to be poked and explored.

Shodan, is a search engine that makes it easy for people to do this exploration for any given system type, from routers to SCADA systems, to traffic lights. The project scans the entire internet constantly and indexes the systems it finds so they can be searched.

And this brings us to what is arguably the most dangerous vulnerability for facing IoT today: Many of these systems have simply login and password fields, and they’re just sitting there awaiting input.

login

The problem wouldn’t be so serious if these systems were coded and configured securely, but most are vulnerable to a vulnerability I call Account Harvesting, which is actually a combination of three separate security flaws:

  1. User Enumeration: The ability to programatically determine the valid users on the system

  2. Weak Password Policy: The presence and/or allowance of weak passwords like "123456", "password", common words, etc., that can be easily guessed using wordlists Unsupervised Learning — Security, Tech, and AI in 10 minutes… Get a weekly breakdown of what's happening in security and tech—and why it matters.        

  3. Lack of Account Lockout: The failure to lock out an account after a certain number of failed account login attempts

If a login challenge has one of these vulnerabilities it’s really bad (that’s a technical term). If it has two, it’s serious. And if you have all three you have Account Harvesting, and it means that attackers can just grind away at your system and pull out valid credentials and then log in like they own the place (because now they do).

And nobody will likely even notice until someone’s done something malicious.

The point of all this is to remind everyone that IoT’s biggest security challenges aren’t currently exotic. It’s not crazy protocol attacks or new surface areas. They’re basic, fundamental, and the same issues we’ve been facing for decades.

We’re exposing millions of systems to the internet that have user enumeration, weak passwords, and no account lockout.

If you care about IoT security, let’s let’s start there.

Notes

  1. CSRF is also a monster in the IoT context, as it allows for automatic configuration of sensitive settings—most notably DNS reconfiguration that sends visits to sensitive sites to attackers.

HOME·BLOG·ARCHIVES·ABOUT