As far-fetched as it may sound, listening to music might endanger your privacy, Bitdefender research shows. Bitdefender IoT researchers analyzed a Wi-Fi audio receiver and found it susceptible to brute-force attacks and poor authentication practices.
The risk of unsafe protocols
The MUZO Cobblestone works as a Wi-Fi audio receiver or as a standalone music player and can be connected to home routers to allow music streaming from multiple sources – smartphones or the Internet (music streaming services).
The device follows the classic setup routine – it creates a hotspot that, atypically, remains active indefinitely after configuration. Researchers noticed that the access point lack proper authentication – it can be protected by creating a password from the configuration page, but nothing notifies the user about this possibility nor the existence of the configuration page. There is no alert in the Android application.
More importantly, the device comes embedded with a Telnet service used for remote access, to send and receive information. Telnet is an old and simple-to-use network protocol that allows a user connected on a device to log into another device in the same network. It ranks 6th among the 10 most-used services, according to Shodan (March 2015).
The problem is that the Telnet service remained active in the final version of the product, says George Cabau, malware researcher at Bitdefender. “Telnet should have been used only in the debug stage and closed when the product was released. There’s no point in leaving it active.”
Researchers tried popular username and password combinations and observed that Telnet was secured with default credentials (admin/admin). Using this information, they connected to the unsecure hotspot and used Telnet to gain root access to MUZO and perform different commands to find a way to access the Wi-Fi network.
Since the audio-receiver is basically connected to two networks (the user internal network and the hotspot), if you access it through Telnet you are inside the network, Cabau said. “We gained root privileges, so grabbing the Wi-Fi username and password was a matter of time.”
Lessons to be learned
A fundamental element in securing an IoT infrastructure concerns device identity and mechanisms to authenticate it. Yet data disclosures show many IoT devices are secured with basic passwords like “1234” or require no passwords at all. This leaves them vulnerable to brute-force attacks and intrusion.
People are accustomed to using the legacy Telnet protocol for connecting to servers. However, it’s no longer considered safe and a better solution to communicate with servers is to use SSH, Cabau added.
After the most recent firmware update, the access point is no longer active after configuration. The Telnet service is still running.
Researchers from Bitdefender Labs have investigated a random selection of IoT devices- – a smart LED, a Wi-Fi enabled switch, a Wi-Fi audio receiver and a smart power adapter – read more here. Note: the scrutinized gadgets have been chosen randomly, based on popularity, product reviews and price affordability.
This article is based on the technical information provided courtesy of Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.