Commjacking From the Least Likely Places: Door Bells, Drones and Robin Hood
Posted: July 4, 2016 / Author: Dror Liwer
As we’ve highlighted (more than once…..) before in this blog space, a commjacker needs only WiFi access and some basic tools to gain access to your wireless device. Whether you’re in a café, on an airplane, in a car or at home, if a commjacker has the means, s/he has a way into your device and then your sensitive data.Just when it seems we can’t be surprised by the methods commjackers use, a story comes out revealing a new way to commjack and we’re – surprised. That’s not to say we’re not shocked overall: Because they’re players in a low-budget undertaking, commjackers can overcome almost any security obstacle as long as they have patience.Still, some occasional news stories about commjacking just flat-out surprise us. Ding Dong: Guess Who’s There? It was somewhat stunning to recently see that even one of the most celebrated children’s toys, the Barbie doll, could be commjacked. The new Hello Barbie doll uses artificial intelligence, via WiFi, to have a “conversation” with its owner, thus making the entire home’s WiFi network susceptible to commjacking.Now comes another example of commjackers finding weaknesses to enter a network: through the front door. A WiFi-enabled video tool known as a Smart Doorbell sends an alert to a homeowner’s mobile device so s/he can see who just rang the bell at the front door. While it’s amazing to think people won’t have to walk to the door if they can first see a visitor they don’t want to entertain, it’s also concerning to know this technology opened the door to commjackers. Security researchers in the UK discovered a security hole in Ring, a Smart Door product that despite its neat advances also enabled outsiders to see the homeowner’s WiFi password.A commjacker only had to detach the Smart Doorbell from the exterior wall and press an orange button that puts the device’s wireless component in access point mode, meaning it was now a WiFi access point. Using a mobile device, a commjacker could have connected to a URL that would reveal the wireless module’s configuration file, including the home WiFi network's SSID and password. Ring closed the security hole after learning of the researchers’ findings, but the security lapse was yet another reminder that while Internet of Things (IoT) products can make life easier, they also give commjackers an opportunity to gain access to any wireless device and, eventually, sensitive data.Cheap Equipment Takes Down Expensive DronePolice drones are supposed to serve and protect, but they also can be commjacked. IBM researcher Nils Rodday demonstrated at the RSA Conference in March that he can commjack security drones from a mile away. He took control of a $30,000 professional-grade quadcopter by exploiting an unencrypted on-board chip.Rodday used $40 worth of hardware on an Android tablet app to take control of the costlier security drone by exploiting the means in which the drone communicates with the app. The manufacturer is evaluating how best to close the security gap to prevent commjackings.Commjacking – For the Sake of GoodNot all commjacking is the product of wrong-doing. Why, the work of the researchers to uncover the flaws of the Smart Door and the potential of mousejacking were commjacking, after all. And a story in October 2015 about a commjacking Robin Hood similarly illustrated that aim: remind wireless device users of the dangers of unsecure routers. But what’s remarkable about the story is that it is unclear whether this good work was done by professional researchers or a digital vigilante. A custom-built software nicknamed "Ifwatch" made its way onto at least 10,000 Internet-connected devices, most of them unprotected WiFi routers. The software tried to kill malware on routers and provided automatic updates that targeted computer viruses.Researchers didn’t know if the software eventually would go bad and try to steal personal information, but all initial reports showed Ifwatch simply intended to remind people to change the passwords on their routers. Well, that’s all the news that’s fit to print – for now. We’ll soon review the commjacking stories that did more than surprise us; they shocked us.