sven-scheuermeier-106767-unsplash

Somebody’s watching me

Have you ever felt like somebody is listening to your private conversations? Would you believe that this could happen within your own living room?

A recent POC carried out by the BugSec research team exposed vulnerabilities in a smart TV operating system sold by a well-known telecommunications company. The team discovered that hackers were using malicious applications to access the TV operating system and were able to listen to any conversations that took place in the vicinity using built-in microphones designed for voice commands.

This is how we figured it out:

It began with a simple penetration test that BugSec’s Red Team conducted for a smartphone manufacturer. The manufacturer was extremely pleased with our findings, which showed our innovation and outside-of-the-box thinking when it comes to HW/SW manipulation. We were then asked to perform a smart TV penetration test, which of course, we agreed to right away.

In general, smart TVs operate similarly to smartphones. They have common known hardware, use a compiled version of an open source operating system (e.g. Android TV), and have a flexible UI that’s designed and developed by the manufacturer. They also have an applications-ready platform which allows developers to gain access to certain hardware components such as microphones and data stored in the TV drives. A penetration test for smart TV is no different than a penetration test for a smartphone as far as the techniques and attack landscape go.

Our smart TV test focused on a very common app that is widely used and installed across many customers. After successfully exploiting a vulnerability, we were able to gain full control of the TV set. Through various manipulation techniques, we were then able to manage the hardware components – from there, it was a short path to opening a built-in microphone for voice tapping.

What are the key take-aways form this? The more a device is connected and behaves like a computer, the more hackable it is. The manufacturer was happy to get the test results, of course, while we continue to search for new vulnerabilities so that we can get to them before the bad guys do.

ales-nesetril-1070103-unsplash

Nothing is bulletproof

Companies that collect sensitive customer data (like credit card details and social security numbers) must adhere to the strictest regulations and industry standards, which include data segmentation and separation. But can these companies claim that their data is “100% safe?”

BugSec’s cyber-attack simulation is designed to test this. Using multiple modern techniques such as reconnaissance, social engineering, phishing, asset mapping and more, we launch a pretend attack on the organization’s infrastructure. The main purpose is to test the existing security shields, see whether they operate in a synchronized manner, and provide an answer to the question – am I safe?

Several months ago, a PCI-DSS compliant organization from the credit card industry asked us to conduct a cyber-attack simulation to test whether its data – the holy grail for any hacker – was secure. The company’s decision makers were anxious to find out whether their security measures were bulletproof due to the sensitivity of the data they collect and in light of recent cyber-attacks against industry competitors, like Equifax.

At first glance, we must admit, the organization’s policies and controls were very strict and operated in perfect harmony – it was a real beauty from a security perspective. But we dug a little deeper and discovered the weakest link, [the human factor]. We were able to deliver our malware throughout this channel.

Once we were inside the system, it still wasn’t easy to get to the data. As we all know, a PCI-DSS environment is very committed to data segmentation and sometimes even physically separated. But, we were eventually able to gain access after successful privilege escalation and holding a domain admin account (once again, the human factor). From this point we progressed toward the trophy – PCI DB, and once achieved and exfiltrated out (with extreme precautions), we presented it to the customer who remained speechless.

Unfortunately, there’s no patch for human error – that’s our response when companies ask us what’s left to purchase or install in order to prevent it? This brings us back to a very basic axiom – user awareness to cyber threats costs 0.1% from a known control and efficient 10 times if not more.