A “web radio” from German firm Telestar has been found to be weak to a simple Telnet hack:
Imperial Dabman IoT radios have a weak password vulnerability that could allow a remote attacker to achieve root access to the gadgets’ embedded Linux BusyBox operating system, gaining control over the device. Adversaries can deliver malware, add a compromised radio to a botnet, send custom audio streams to the device, listen to all station messages…
Does this sound silly so far? Ok, so they can hack my Internet-of-Things (IoT) radio and force me to listen to hours of a wailing Yoko Ono or something. Who really cares?
…as well as uncover the Wi-Fi password for any network the radio is connected to.
After logging onto the device, researchers were able to access the “etc” path with root privileges to request various file contents, including the full system password shadow file, the group password shadow file, the USB password and the httpd service password containing the “wifi cfg” file with unencrypted information on the wireless LAN key.
Getting into your WiFi network is a big deal. If nothing else, a WiFi pirate can use your personal network to download illegal content – if not also using it as a stepping stone to access other devices which might contain more valuable personal info.
This is the drawback to the IoT – the more connected devices become, the more vulnerable you likely stand to be; just that much more room for a security hole where none would have previously existed, were you to be using granddad’s old crystal radio.
Vigilance is key. Know what devices are connected, and how they can stand to be exploited – especially in a senstive business environment.