The toolkit had digital fingerprints for 129 router models and exploits for 36 of them. For the rest it tried to use known default credentials to log in.
CSRF attacks are not the only possibility to attack LAN devices that are not exposed directly to the Internet. Malware running on computers or smartphones can also be used for this purpose.
Researchers from Kaspersky Lab recently found the first Android-based malware built to hack routers. Once installed on a phone, the malicious app performs a brute-force password guessing attack against the router’s admin web interface over the local network.
Many IoT vendors base their defense strategy on the fact that their devices will be installed behind routers instead of focusing on securing the devices themselves, said Brian Knopf, senior director of security research and IoT architect at Neustar. "This thinking from manufacturers is ignorant."
Knopf, who previously worked in product security at Linksys, Belkin and Wink, gave the example of a 2013 vulnerability found in the Philips Hue bridge that controls smart light bulbs in homes or offices. The weakness stemmed from an insecure management protocol that used access tokens based on physical MAC addresses for authenticating commands.
The flaw was only exploitable over the LAN, so the researcher who found the issue wrote an exploit in Java that could be remotely delivered to a computer through the browser to gather local MAC addresses and use them to send rogue commands to the Philips bridge.
"The only thing that will change this backward thinking by the vendors is for there to be enforceable requirements with penalties tied to not doing them," Knopf said. "Sure, there are IoT companies that do the right thing, but they are far outnumbered by those that don't."
One of the primary flaws across most connected devices is that they trust other devices on the local network by default, said Ted Harrington, executive partner at Independent Security Evaluators, the company that organizes the IoT hacking contest at the Def Con conference every year. "This is a violation of the fundamental secure design principle known as Assume Hostility or Trust Reluctance."
Assuming trust instead of hostility is problematic for several reasons and the so-called stepping stone attacks are one of them, Harrington said. These are attacks where hackers compromise systems that already have some level of trust or access to their final target.
One such attack led to the 2013 data breach at Target that affected over 100 million customers. In that case attackers started by compromising a heating, ventilation and air conditioning (HVAC) system and that allowed them to eventually reach the company's point-of-sale network.
Many small electronic devices don't appear to have much value for attackers at first glance because they have low computational power. But that can be deceptive: Their compromise is less likely to be detected and they can be used to launch attacks against more valuable targets located on the same network.
Sign up for Computerworld eNewsletters.