Why test household appliances?

Now, to start I will admit I have been called insane and far worse for my hobby. What is my hobby if you do not know? I break into online household appliances.

Yes, it is strange, but there are worse things to do.

Interestingly, in the average western household, there are many things that already have Internet connectivity. The following are a few things I have in my home already that are connected to the Internet:

• Panasonic BluRay player (this is actually REALLY annoying as the firmware ALWAYS alerts that it requires an update when in the middle of a movie)
• Panasonic Flatscreen TV.
• Kenwood Stereo
• HP Printer (actually I killed this and it is not working)
• Vacuum cleaner (wireless and self charging)
• Camera
• Picture frame
• Microwave (I really have not discovered why this is connected, but it gets firmware updates).
• Electronic Piano (you can save your music, load effects and more)

In addition, I am trying to have some IPv6 enabled wireless light globes sent from the US. All that is just the tip of the iceberg. Fridges, power meters, Washing machines and more are already connected.

The music and display devices are interesting. They all support media streaming on my Windows Home Network. So, a home san holds the media, and others can also listen to the same media stored on the same centralised home storage devices. Better, with an IPv6 tunnel (and a REALLY GOOD when available) Internet connection

How does this relate to security you ask?

Well, simple, any device is an avenue for an attack.

I stated that my TV and stereo are connected to the home network. They have credentials on the Windows “Home Group” (and I have not managed to have the Stereo work with Linux although the TV does). This means that the TV is an avenue for an attack.

Many of these devices run a cut down Linux kernel.

In doing this, I have managed to get myself in trouble. I had (I say had as I broke it and the company voided the warranty) a Jura coffee maker. The vulnerability alert was not the issue, what occurred was that I had not known that Jura was a client of BDO (a former employer). A shame really as BDO would not let me have the data on the coffee maker hack when I left. I guess I scared an accounting firm too much…

The craziest device was the Oral B wireless toothbrush. The reason for this is as “Separate Wireless SmartGuide: Helps promote optimised brushing performance”. I guess I am old fashioned. I just brush as I brush and no toothbrush is going to tell me otherwise.

Again… how is this relayed to security?

Yes, I will get to the point.

All of these devices have either a Linux embedded kernel or run Windows CE. Panasonic and Sony use embedded Linux. The Embedded Linux Wiki has a list of software emulators which can be used to develop exploits without always killing devices (as I have done many times in the past.

Embedded Linux is Linux. You can do MANY things on a cut down Linux host. In fact, my TV is more powerful than the Sun 3 series server I managed nearly two decades ago that ran the warehousing and logistics functions for a national distribution company. Some of the things to point out that embedded Linux allows include:

• BusyBox has a range of tools for embedded Linux all ready and waiting to be installed.
• NetCat. Yes, NC has been ported to run on your Sony TV.
• Squid. You can run a proxy server.
• SSHd (if you really need to although NetCat is sufficient and easier for the attacker)

Right now, I hear people panicking as their phones can be at risk. What about all the other avenues of attack?

In the future, we will have TVs as attack platforms. IPv6 is difficult to port scan – you have to find the devices first and their are too many addresses to scan using nmap.

The answer, attack the DHCPv6 and multicast mechanisms. If you can discover an IPv6 enabled appliance, this becomes far simpler. More, with “Home networks” and even the incorporation of devices into corporate workgroups, the device will give you a list of systems to attack and scan.

IPv6 changes the game in many ways. It makes scanning for hosts a thing of the past. That stated, the future hold new and novel attacks that we need to plan for now. One of these is attacking embedded Linux and Windows CE based devices.

So why do I attack appliances?

This is not new, but we are starting to see devices with Internet connectivity by default.

The reason is that appliances are the way we will attack networks in the future. We can make extremely secure IPv6 workgroups using tools such as the “secure server”settings in Windows Group Policy, but all things are only as good as the weakest link and right now, we are creating devices that will be those weak links.

So, when you start to see your light bulbs scanning your network… Remember, the future is now.

Planning and architecture matter and we need to consider the devices we are connecting to our networks. That is not JUST the hosts, but EVERYTHING!

About the Author:

Craig Wright is the VP of GICSR in Australia. He holds both the GSE, GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Sturt University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.