The bulk of major corporate hacks follow time-tested strategies, like phishing emails that trick employees into giving up their credentials, or hackers exploiting a bug in a web portal. While effective, these strategies also open an attacker to early detection. So increasingly, hackers have taken the scenic route—through the Internet of Things.

Vulnerabilities in internet-connected devices are well-documented by this point, but the most common exploitations generally involve conscripting thousands of vulnerable IoT devices into botnets, or getting onto a network through a weak IoT device for ransomware attacks. These aren't data-stealing missions. But researchers from the IoT security firm Senrio have shown that a company's publicly exposed IoT devices can form an unsupervised backroad path into networks. Attackers can jump from one vulnerable IoT device to the next, totally bypassing mainstream devices like PCs and servers, and charting a course that's much harder to detect.

“We were seeking to answer the question ‘why does one device matter?’” says M. Carlton, Senrio’s vice president of research. “An attack like this shows why it’s important to know what’s really on your network. These devices are all connected to each other and can create a hole in the network. It would be very difficult to catch this.”

Internet of Hacks

Many, many IoT gadget characteristics make them risky to deploy. Manufacturers tend to patch vulnerabilities slowly, if at all. Each model of each device is a special snowflake, running inscrutable, proprietary code and making it difficult to create one-size-fits-all security scanning tools. Meanwhile, large institutions and industrial environments already struggle to prioritize PC and server patching; finding and cataloging IoT devices and hustling to apply every update quickly becomes unwieldy. So the devices sit out there, connected to the open internet with little oversight and few protections.

'It would be very difficult to catch this.' M. Carlson, Senrio

“If you have an organization with 5,000 connected cameras, which for a large company that’s pretty standard, then now you have to have someone in the organization following that vendor’s RSS or their mailing list just to even know the devices are vulnerable,” says Senrio founder and chief technical officer Stephen Ridley. “And then you have to incur this operational cost to update all of them, which in some cases might be a dude with a thumb drive climbing up a pole and updating each camera.”

Senrio’s attack, which the company will present at the RSA conference Thursday, focuses on exploiting publicly known flaws—for which patches are available—in two devices and then jumping onto a third. The company discovered and disclosed the two vulnerabilities, one in an IP security camera and one in a router, and has tracked them closely. Using tools like Shodan, which scans for IoT devices that are sitting on the public internet, the Senrio researchers have seen meaningful patch adoption for the bugs, a heartening sign. Still, the researchers have observed tens of thousands of devices that are vulnerable—which is what makes their attack chain so ominous. A sophisticated hacker might pull off the same type of IoT attack using undisclosed, unpatched vulnerabilities that they invested resources to find or buy. But anyone can capitalize on long-known vulnerabilities at virtually no cost.

A Rube Goldberg Attack

The Senrio attack starts by targeting a security camera that is still vulnerable to an inveterate IoT bug the researchers disclosed in July, know as Devil’s Ivy. Using an unpatched Axis M3004-V network camera as an example, an attacker would find a target exposed on the public internet to start the attack, and then use the Devil’s Ivy exploit to factory reset the camera and take over root access, giving them full control over it.

Once the attacker has taken over the camera, they can view the feed. In the scenario the Senrio researchers imagine, this IP camera has been rightly cordoned off from the rest of the network, able to communicate only with a router. Even with that well-intentioned stab at segmentation, the attacker can simply springboard from the camera to attack the router next.