HACKING IoT A Case Study on Baby Monitor Exposures and Vulnerabilities
RL2Fq
RL2Fq
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
06<br />
VULNERABILITY REPORTING<br />
AND HANDLING<br />
One of the goals of this research is<br />
to practice reas<strong>on</strong>able, coordinated<br />
disclosures with vendors of <str<strong>on</strong>g>IoT</str<strong>on</strong>g> equipment.<br />
So, as a matter of course, the<br />
vulnerabilities discovered as part of<br />
this research were reported in accordance<br />
to Rapid7’s Vulnerability<br />
Disclosure Policy. According to this<br />
policy, vendors are c<strong>on</strong>tacted <strong>on</strong>ce the<br />
findings are verified, then after 15 days,<br />
CERT is c<strong>on</strong>tacted. 45 days after that<br />
(60 days after the initial disclosure<br />
attempt), the findings are published.<br />
During the course of the vulnerability<br />
disclosure process, we saw vendors<br />
exhibit the entire range of possible<br />
resp<strong>on</strong>ses. One vendor was impossible<br />
to c<strong>on</strong>tact, having no domain or any<br />
other obvious Internet presence bey<strong>on</strong>d<br />
an Amaz<strong>on</strong> store listing. Some vendors<br />
did not resp<strong>on</strong>d to the reported findings<br />
at all. Others resp<strong>on</strong>ded with c<strong>on</strong>cerns<br />
about the motives behind the research,<br />
<strong>and</strong> were w<strong>on</strong>dering why they should<br />
be alerted or why they should resp<strong>on</strong>d<br />
at all.<br />
On the exemplary side, <strong>on</strong>e vendor,<br />
Philips N.V., had an established<br />
protocol for h<strong>and</strong>ling incoming product<br />
vulnerabilities, which included using<br />
a documented PGP key to encrypt<br />
communicati<strong>on</strong>s around this sensitive<br />
material. Philips was also able to<br />
involve upstream vendors in pursuing<br />
soluti<strong>on</strong>s to those technologies provided<br />
by others. Weaved, a provider of an<br />
<str<strong>on</strong>g>IoT</str<strong>on</strong>g>-in-the-cloud framework for<br />
Philips, was especially open with <strong>and</strong><br />
resp<strong>on</strong>sive to the authors of this paper.<br />
The range of resp<strong>on</strong>ses itself is<br />
worrying, <strong>and</strong> representative of the<br />
<str<strong>on</strong>g>IoT</str<strong>on</strong>g> industry as a whole. While it is<br />
possible for an organizati<strong>on</strong> to maintain<br />
a flexible, mature process for h<strong>and</strong>ling<br />
unsolicited vulnerability reports, it is<br />
far from the norm. It is hoped that<br />
the publicati<strong>on</strong> of these findings will<br />
help <str<strong>on</strong>g>IoT</str<strong>on</strong>g> vendors establish reas<strong>on</strong>able,<br />
effective vulnerability h<strong>and</strong>ling practices.<br />
| Rapid7.com Hacking <str<strong>on</strong>g>IoT</str<strong>on</strong>g>: A <str<strong>on</strong>g>Case</str<strong>on</strong>g> <str<strong>on</strong>g>Study</str<strong>on</strong>g> <strong>on</strong> <strong>Baby</strong> M<strong>on</strong>itor <strong>Exposures</strong> <strong>and</strong> <strong>Vulnerabilities</strong> 8