It was reported yesterday that Hacker Giraffe has remotely gained access to the TVs and smart devices of tens-of-thousands of Google Chromecast users (with Chromecast none the wiser). Paul Farrington, director of EMEA and APJ at Veracode, explains why developers must test and scan the security of their systems regularly in order prevent a UPnP vulnerability being exploited by cyber criminals.
This particular hack took the form of a pop-up, warning of the exploit and linking through to a page listing the current number of affected devices.
The message also took the chance to promote controversial YouTube personality, PewDiePie – a move this particular hacker has previously made by hijacking connected printers.
While technically this latest hack was made possible via a security flaw in a users’ router, the exploit related to the Chromecast is one that has been known since the year the device launched.
Highlighting the importance of regular security testing, Paul Farrington of Veracode commented, “Universal Plug and Play (UPnP) has been problematic for years. The protocols exist to make interconnectivity of devices simpler for users.”
“The idea behind UPnP is nice, but in the context of a hostile attack landscape, exposes internal networks to risk. Some devices and software applications will rely on UPnP, but the majority won’t.”
“Really the advice for the home user is to turn off UPnP on their Internet router. The problem with the Chromecast device is that Google hasn’t really designed it to anticipate a hostile environment, such as one in which devices can be directly exposed to the Internet.”
“In general, consumers haven’t been educated on how to make devices secure. Offering advice about disabling features is all well and good, but device manufacturers and probably Internet Service Providers (ISPs) could do more to help the public by providing secure configurations.”
“Before network and software engineers create products, they really need to think about the adversary. Asking the question, ‘how would the attacker benefit from this design feature’ should be a constant question that is asked within development teams.
“Threat Modelling is a term used to describe an approach of identifying ‘secure by design’ architectures that make sensible trade-offs on risk vs. benefit. What’s more, evidence from Veracode’s recent ‘State of Software Security Report (v.9)’ suggests that DevSecOps teams that embed continuous automated security testing into their routine will eliminate security defects 11.5 times faster than those which test infrequently.
“As such, upfront thinking about security, coupled with continuous security testing is really the only way to address the modern challenge of keeping consumers safe from hackers.”