TECH TUESDAY: Research Found Backdoor in Chinese IoT Devices

Tech Tuesday.png

Ah, the Internet of Things. If you are a regular to our blog then you probably know all about IoT, but in case you are new to #TechTuesday and Curious, a couple of things you should know…

  1. Thanks for joining us. We’re glad you found us. Feel free to drop us comments and your own thoughts anytime.
  2. The Internet of Things – IoT for short – is the next step in consumer electronics and appliances. In short, IoT is where devices from as small as your smartphone to as large as your home or automobile connect to the Internet in order to help you get things done. Whether it is reminders of what your family has planned for the month appearing on your refrigerator, or remotely monitoring and controlling your electric smoker in order to make the best brisket ever, IoT opens many doors of convenience and efficiency through connectivity.

So yes, IoT offers a lot in the way of modern marvel convenience, but those “doors of opportunity” also have backdoors, and that’s not good. Back in February, I blogged about three month’s worth of Distributed Denial of Service or DDoS attacks, one of them in September 2016 involving cybersecurity expert Brian Krebs and a multitude of IoT devices “recruited” to take down the security blog. Another incident involved a coordinated DDoS with IoT against DNS provider Dyn, this attack disabling websites like CNN, Reddit, and Pinterest. So while IoT is considered a game-changing movement, the conveniences come at a cost.

Presently, that cost is being felt in China.

There is an Internet of Things manufacturer from China, and according to The Register, a research team discovered their IoT devices contain weird backdoor vulnerabilities. That’s not the shocking part, though. The worst of it: The vendor refuses to fix it.

You would think that maintaining #socialmedia is an "easy" #job but it isn't. #Consistency is #key, not just in when you post but what you post and how you post it. So is there #skill and #planning in a full time social media gig? As you will find at the URL in our #Instagram profile, yes, there is. (TM)The vulnerability, discovered by the TrustWave research team, was found in the majority of devices produced by VoIP specialist dbltek. The backdoor appears to have been purposely built into devices as a debugging aid. The InfoSec group says that it followed a responsible disclosure process (they contacted the manufacturer about the problem), but claims the manufacturer responded only with modifications to their devices’ firmware. That’s nice and all, but the vulnerable access point remains open. TrustWave says it has since been able to exploit both the old and new backdoors.

The vulnerable firmware is present in almost all dbltek GSM-to-VoIP devices used by small to medium size businesses. TrustWave researchers claim they had found hundreds of at-risk devices on the Internet. The dbltek issue permits a remote attacker to gain access to the shell and root privileges on the affected device through backdoor access. An undocumented user in the IoT devices labeled “dbladm” remains present, and it is this which provides root access to all the devices—that’s the back door. Instead of a traditional password, this account is protected by a proprietary challenge-response authorization scheme that is easy to guess. So, in a nutshell, anyone can log into these devices and take them over, meaning they could be recruited for future DDoS attacks or delivery of malware.

And the vendor, aware of the problem, just flat-out refuses to fix it.

IoT is, without a doubt, the way forward with consumer and business electronics, but the real problem lies in the priority individuals and businesses give safety and security online. Keep in mind, Sony did not haven have a Chief of Security until after a devastating hack took down the PlayStation Network on Christmas Day. Only when faced with the fallout of negligence do people suddenly sit up and take notice, but only until after the damage is done.

For anyone employing IoT devices in their home or offices, I would just watch out. You’ve got to be very, very careful.



shurtz.jpgA research physicist who has become an entrepreneur and educational leader, and an expert on competency-based education, critical thinking in the classroom, curriculum development, and education management, Dr. Richard Shurtz is the president and chief executive officer of Stratford University. He has published over 30 technical publications, holds 15 patents, and is host of the weekly radio show, Tech Talk. A noted expert on competency-based education, Dr. Shurtz has conducted numerous workshops and seminars for educators in Jamaica, Egypt, India, and China, and has established academic partnerships in China, India, Sri Lanka, Kurdistan, Malaysia, and Canada.