Recently, we encountered a situation which gave us the chance to breach the security of a company in Amsterdam, getting access to the privacy of its customers. This post is based on a true story, except we didn’t want to go that far: we didn’t go as far as we could have if we were malicious hackers, and we were careful not to breach or leak any private data, even though we very well could have. Nevertheless, we are showing how easy it can be. Before getting into the story, let’s take a few steps back so we can explain what security is and how attackers can break it.
What is security?
According to Oxford dictionary, Security is “the state of being free from danger or threat”. It also defines privacy as “a state in which one is not observed or disturbed by other people”. When looking at data privacy, it is considered as the security of people’s private data.
Someone might think that to keep secure, we need to use expensive equipment that keeps confidential data/credentials very safe. Although equipment can be used to establish security protocols, it is not enough. Our behavior can have a lot of impact on security as well.
Here are some examples of behaviors that can help breach security:
- Having a strong password but writing it down on paper or other unsecured means;
- Having a very secure access control system but using weak doors and locks;
- Establishing a secure network but keeping one device open and available for anyone to connect to the network;
- Using secure hardware equipment but not keeping it in a secure environment;
- Using secure hardware but disposing of it by simply throwing it away when it is no longer of use.
Security is like a chain: To keep the whole system secure, all the individual elements should be kept secure as well, even more so if they are connected into a network. Following the wrong behavior mentioned above, would put some of the components in the system, at risk. Therefore, risking the collapse of the whole security structure.
What is needed to breach security?
There is a myriad of ways that can breach the security of your company. We won’t list them all, but without a doubt, getting access to confidential information such as: passwords, key passes, login credentials, etc. is one of the critical ways in which attackers can break security. Hence, organizations must ensure that they keep these well protected even when they are no longer being used.
Leaking secret information can have different level of risks for different systems. Depending on the life-time of the password or the key, it might have a small or big impact. Replacing the keys/passwords might not always be done quickly and sometimes (for example, in case long-term keys are exposed), it might be very costly or impossible to replace or recover them.
In most cases, if it is not too late, passwords can easily be changed if they are exposed. However, we should consider that even though they can be changed, leaking a password can reveal information that can be used to expose the new passwords. Additionally, if the exposed passwords are re-used in other devices or systems before they are changed there as well, these systems are now at risk.
There is also other data, for example information about the network, firewall configurations, etc. which would be very useful for attackers to infiltrate the network.
How is information leaked?
Usually, information leakage doesn’t happen directly, it occurs due to other issues. For example:
- A password is stolen because you wrote it on a post-it note, and sticked it on your monitor…or after you lost the paper where you had written it.
- Draft papers with secure designs can reveal a lot of information if they are disposed of without shredding.
You would think these examples are obvious, and nowadays, everyone should be aware of such a risk, but it is not always the case. Of course, there are still different ways to indirectly leak information that are not that obvious and maybe not everyone is aware of. We will give you a few more examples and true stories that we have observed in action.
Disposing of IT equipment and IoT Devices
The way materials are disposed of takes a significant role in information leakage. We all know that a storage device should be securely wiped out or destroyed to prevent any data leak. But, how about other IT-related equipment and IoT devices used widely in almost every business? As we know, all electronic devices have a kind of permanent memory. Depending on the type of device, the memory has different types of information that can be stored in the memory. By merely disposing of the device, the information inside the memory can be read by whoever has access to it. Based on the leaked information, there is always a level of risk. In short, never underestimate the consequences and/or damages that could result when you are disposing of your unused equipment.
Nowadays, IoT/smart devices are being rapidly integrated into every home and business environment. They are used everywhere: smart phones, smart refrigerators, smart coffee machines, laptops, all connected to networks. The fast-paced evolution of technology results in the replacement of the old equipment very often. Just think about how often you change your mobile. Every year? Two years? Since these IoT devices are now a part of our lifestyle, most people might not even think what can be the risk when you get rid of them to replace it with a new one.
When it is time to dispose of unused equipment, no matter what the equipment is, companies might not think about the security implications of not doing it right. The hardware might have not been used for some time or it might be broken so the easiest thing is to throw it away. Therefore, some unused equipment could end up in a trash bin or even worse, next to it. But that is one of the worst things you can do as a company that holds not only confidential data regarding your employees, your clients, but overall, your own company’s private information.
Finding disposed network equipment
So, having said all that, this is where our real-life security hack story begins . We found a stack of network equipment which was disposed of next to a trash bin on the street.
First of all, as good citizens, we are against disposing of unused objects on the street because it makes our city to look dirty and ugly. Anyway, we were nice to remove them from the street and make the city beautiful again. In the meantime, our sense of security investigation triggered us to do some research. Therefore, we took them in-house to our security lab and tried to investigate what a hacker would be able to do with such vulnerable equipment.
In the beginning, it was easy to find the previous owner’s company. After spending a few hours on it, we were able to breach its security and find:
- Passwords: we found several different passwords, which could allow us to connect to several other systems. Additionally, we realized that they don’t really use strong passwords, which would raise the probabilities of attacking other interfaces.
- Databases: which had a lot of information about their network and configurations (including VPN connection).
- Cache files: which were full of information that was sent over inside/outside their network.
There is no doubt: at least this information breaks the privacy of the people who were supposed to be protected by the company. So, by disposing of several unused devices, the employees and the clients of the company could have been potentially impacted.
Additionally, through our investigation we got enough information about their network’s security configuration, enough to get into their network. If we were not ethical hackers, we could have gone further and performed an actual attack. But, since we are not black hat hackers, we didn’t do that.
Disclaimer: After identifying the owner of the equipment, we informed them about how easy it was for us to breach their security and the potential data leak.
IoT Devices and their features
IoT devices can be categorized into different categories based on their features:
By looking at the features, we know that most IoT devices need to connect to a network, even more so if they need Wi-Fi to function. To connect to Wi-Fi, storing the network password into permanent memory is necessary. Additionally, a lot of IoT devices need to keep some credentials to be able to connect to a cloud or remote service center. Using logic, we realize that simply throwing away these devices without wiping them out can leak this secret information. If attackers get access to them, they might be able to penetrate your network and/or other cloud services and devices by using your credentials, thus increasing the attack surface.
By getting into your network, attackers can do a lot of undesired actions such as:
- Accessing all the data in your network (Privacy and security risk);
- Spoofing your connections and stealing your payments;
- Stealing your identity;
- Accessing your bank account(s) and stealing your credit card number(s);
- And much more … nobody knows what can happen next!
By highlighting these actions, we expose how this leakage of information can have a catastrophic, chain-reaction ending. Some might think there is a very low risk of their information being accessed for malicious purposes, but, in our opinion, you should never underestimate it. Our experience shows that combining two or more different Low Risk threats can lead to relatively High Impact attacks. So we better mitigate the risks as much as possible to avoid any unwanted damage in the future.
Tips to prevent a security breach when disposing of electronic/ IoT devices
The following tasks can be done to decrease the risk:
- Use secure bins which are available for disposing of any device which might have memory or storage;
- Wipe out the storage of the devices before disposing of them;
- Note: Just deleting files might not be enough, so make sure to use a secure eraser (if applicable);
- Use the “Factory Reset” settings before disposing of IoT or other electronic devices.
Is your company manufacturing embedded/IoT products or devices? If so, are you sure your products are secure? At SecuredNow, we understand the importance of taking security seriously, that’s why we have created a questionnaire that will help you assess the security risk level in your product(s). Take our Product Security Risk Level Questionnaire and get our security assessment
Alternatively, our seasoned security specialists are here for you. Contact us, we can help you protect your cyber-physical systems.