Watching the watchers. IoT vulnerabilities exposed by AI. [Research Saturday] - CyberWire Daily

Summary5 min read

CyberWire Daily: Watching the Watchers - IoT Vulnerabilities Exposed by AI

Release Date: December 14, 2024
Host: N2K Networks

In this episode of CyberWire Daily, N2K Networks delves into the alarming discovery of zero-day vulnerabilities in Pan-Tilt-Zoom (PTZ) IP cameras, uncovered through advanced artificial intelligence (AI) techniques. The discussion features Andrew Morris, Founder and Chief Technology Officer at GreyNoise, who provides an in-depth analysis of the vulnerabilities, their implications, and the pivotal role AI plays in modern cybersecurity defenses.

Discovery of Zero-Day Vulnerabilities

Andrew Morris begins by explaining the methodology behind GreyNoise’s detection of these critical vulnerabilities. GreyNoise operates a comprehensive honeypot network that monitors vast amounts of internet traffic to identify reconnaissance and exploitation attempts.

Andrew Morris [02:13]: "At GreyNoise, we operate a very large collector network, a honeypot network on the Internet that detects reconnaissance and exploitation traffic on the Internet."

Using their proprietary AI tool, Sift, GreyNoise was able to surface anomalous traffic patterns that deviated from the established baseline of normal activity.

Andrew Morris [12:59]: "We use AI to only surface the net new traffic patterns, which are only about 30 to 50 a day, usually less than 100 a day. And so that's a very manageable amount of data to triage as a human."

This approach allowed them to identify previously unknown software vulnerabilities, marking these as zero-day threats.

Nature and Impact of the Vulnerabilities

The vulnerabilities discovered affect multiple PTZ IP camera models due to shared underlying firmware licensed across various manufacturers. Andrew elaborates on the technical shortcomings:

Andrew Morris [05:16]: "There are two vulnerabilities which combined together lead to full sort of unauthenticated remote code execution. The first is insufficient input sanitization and access control... the second is insufficient input validation that leads to operating system command injection."

These flaws enable attackers to:

Fully compromise the IP camera.
Pivot to other devices within the network.
Establish persistence within the compromised systems.
Manipulate recorded media, including overwriting, inserting, or removing footage.
Disable the device entirely.

Such comprehensive control not only compromises the device itself but also poses a significant threat to the broader network it resides in. The potential for these cameras to be enlisted in botnets further exacerbates the security risks.

Recommendations for Mitigation

When asked about safeguarding against these vulnerabilities, Andrew provides pragmatic advice for affected users:

Andrew Morris [06:03]: "If you're a customer of the IP camera, I'm going to recommend two things. The first is to patch as soon as humanly possible, and then the second is to do some very mild triage to make sure that you haven't already been compromised."

His recommendations include:

Immediate Patching: Apply available firmware updates to mitigate the vulnerabilities.
Device Triage: Disconnect affected cameras, perform factory resets, and re-flash the firmware to ensure no compromise has occurred.
Traffic Monitoring: Implement measures to inspect and block malicious traffic targeting the cameras, especially those exposed to the internet.

Andrew underscores the inherent difficulty in securing such devices, attributing it to their reliance on outdated, stripped-down versions of Linux and limited hardware capabilities that restrict the integration of modern security features.

Andrew Morris [07:31]: "These devices, they can't run any of those operating systems. They're running a very stripped down old version of Linux... These devices are really hard to secure. I would argue they're impossible to secure."

GreyNoise’s Operational Framework

Dave Buettner probes deeper into GreyNoise’s processes for distinguishing malicious traffic from routine IoT network activity. Andrew outlines their strategy:

Andrew Morris [11:44]: "We operate a gigantic honeypot fleet... This allows us to get a sort of baseline of what normal looks like. Then we can identify targeted scanning and targeted attacks by subtracting out all of the Internet background noise."

This methodology ensures that GreyNoise provides clients with a clear and actionable signal by filtering out ubiquitous internet noise, enabling precise detection of genuine threats.

The Role of AI in Cybersecurity

The conversation shifts to the transformative role of AI in enhancing cybersecurity measures. Andrew highlights how AI, particularly tools like Sift, significantly improves the detection of sophisticated threats that traditional methods might miss.

Andrew Morris [15:21]: "AI helps us make big problems a little bit smaller... Machines are just better off to do [the repetitive tasks]... Someday we're going to realize how ridiculous it is that humans ever reviewed thousands and thousands of data entries."

He envisions a future where AI systems handle the bulk of data analysis, allowing human experts to focus on strategic decision-making and response. This shift not only increases efficiency but also enhances the ability to preemptively identify and mitigate vulnerabilities before they can be exploited in attacks.

Manufacturer Collaboration and Future Outlook

Andrew shares GreyNoise’s positive experience collaborating with manufacturers upon discovering the vulnerabilities:

Andrew Morris [14:36]: "The manufacturers that we worked with here were helpful. They were appreciative that we reached out to work with them."

Despite the challenges in pinpointing the root causes of such vulnerabilities, the cooperative efforts between GreyNoise and manufacturers are crucial for developing robust security solutions and preventing future exploits.

Conclusion

The episode underscores the critical intersection of AI and cybersecurity in identifying and addressing emerging threats, particularly within the IoT landscape. Andrew Morris emphasizes the ongoing need for advanced detection mechanisms and collaborative efforts to secure devices that are increasingly integral to both personal and corporate environments.

Andrew Morris [15:21]: "I’m very, very hopeful for the future and how, you know, AI is going to ultimately help defenders be more secure and identify more big bad vulnerabilities before they can be used in dangerous attacks."

As IoT devices continue to proliferate, the insights shared by GreyNoise highlight the paramount importance of leveraging AI-driven solutions to stay ahead of malicious actors and safeguard critical infrastructure.

Key Takeaways:

Zero-Day Vulnerabilities: Discovered in PTZ IP cameras via AI-driven analysis.
Impact: Full device compromise, network pivoting, potential for botnet integration.
Recommendations: Immediate patching, device triage, and enhanced traffic monitoring.
AI’s Role: Essential for managing and analyzing vast data to detect emerging threats.
Collaboration: Effective manufacturer cooperation is vital for timely vulnerability remediation.

For further details on GreyNoise’s research, listeners are encouraged to refer to the show notes provided by N2K CyberWire.

Loading summary

Transcript25 lines

[00:02]
Dave Buettner
You're listening to the Cyberwire Network, powered by N2K. Quick question. Do your end users always, and I mean always without exception, work on company owned devices and IT approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices? 1Password has an answer to this. Extended Access Management. 1Password Extended Access Management helps you secure every sign in for every app on every device because it solves the problems traditional IAM and MDM can't touch. And it's now available to companies with Okta and Microsoft Entra and in beta for Google Workspace customers. Check it out@1Password.com cyberwire that's 1Password.com cyberwire.
[01:18]
Andrew Morris
Yeah, so they were targeting pan tilt zoom IP cameras. It's actually almost impossible to say exactly what model of pan tilt zoom camera they were targeting. And these vulnerabilities allow an attacker to completely compromise an IP camera, gain access to the device, pivot throughout it to the rest of the network, establish persistence or, you know, overwrite or insert or remove any kind of recorded media that might be stored on the device.
[01:53]
Dave Buettner
That's Andrew Morris, founder and chief technology officer at graynoys. The research we're discussing today is titled Granoise Intelligence discovers zero day vulnerabilities in live Streams Cameras with the help of AI.
[02:14]
Andrew Morris
Yeah, so at Greynoys, we operate a very large collector network, honeypot network on the Internet that detects reconnaissance and exploitation traffic on the Internet. And what brought our attention to this is, I mean we see in the wild cyber attacks every day, like literally millions of them a day, every day. And this was a very routine review of a traffic pattern that had crossed our sensor fleet, which was surfaced by our AI called sift. And in triaging this vulnerability, trying to basically categorize it as, you know, well, what is this? We realized that there was no disclosed vulnerability for it. And so we went through a little bit of work and we identified what it was targeting and what vulnerability was and we disclosed it to the vendor.
[03:13]
Dave Buettner
Well, let's walk through it together here. I mean, what exactly were they targeting and what do you suppose they were setting out to do?
[03:20]
Andrew Morris
Yeah, so they were targeting pan tilt zoom IP cameras. And it's actually almost impossible to say exactly what model of pan tilt zoom camera they were targeting because the vulnerability existed in several different IP cameras. The vulnerabilities, I should say. And these vulnerabilities allow an attacker to completely compromise an IP camera Gain access to the device, pivot throughout it to the rest of the network, establish persistence, or, you know, overwrite or insert or remove any kind of recorded media that might be stored on the device, including disabling it. So those are some of the things that the attacker can do.
[04:03]
Dave Buettner
Reading through the research, you noted that it would have been possible for them to make the cameras part of a botnet as well.
[04:11]
Andrew Morris
That's exactly right, yeah. I mean, so the vulnerabilities that we identified lead to full camera takeover. So that means that whatever the attacker wants to do with them, they can do it with them. And unfortunately, the vulnerability affects multiple different models of camera because it affects underlying firmware that is actually white labeled, so to speak, by a manufacturer. So it actually affects multiple different models.
[04:37]
Dave Buettner
Right. I was going to ask you about that. My understanding is that this is an area where lots of different camera sellers will use the same parts under the hood. And so that's how you end up with these vulnerabilities spread across multiple brands and model numbers.
[04:56]
Andrew Morris
That's exactly right. So, I mean, we identified the vulnerability, and it seems that the vulnerability is in the underlying firmware. The firmware has been licensed by multiple manufacturers, so we're still trying to kind of gauge the true impact of the bug. And it's tough. It's a tough one.
[05:12]
Dave Buettner
Yeah. Well, tell us about the actual vulnerabilities. What were the shortcomings here?
[05:17]
Andrew Morris
Yeah, so there's two vulnerabilities which combined together lead to full sort of unauthenticated remote code execution. The first vulnerability is insufficient input sanitization and access control. So basically we're able to read a file or access a file that we shouldn't be able to read and access. And then there's another vulnerability which is a insufficient input validation that leads to operating system command injection. So we can reach a page that we shouldn't be able to reach, and then we can use that page to inject malicious input, which leads to command injection on the camera.
[05:58]
Dave Buettner
I see. And what are your recommendations for folks to protect themselves here?
[06:04]
Andrew Morris
This is kind of tough. So if you are a customer of the IP camera, if you're somebody who owns, who has purchased or operates any of these IP cameras, I'm going to recommend two things. The first is to patch as soon as humanly possible, and then the second is to do some very mild triage to make sure that you haven't already been compromised, which is to say, maybe disconnect those devices and reboot them to factory settings and then update the Firmware, you know, reflash them, reboot them, update them, make sure to get them patched. That's pretty much all you can do. And then beyond that, you know, it's the balls in the, in the court of the attacker or of the manufacturer. Sorry. And so really just make sure that you've got some ability to, you know, if you can't patch for any reason, just make sure that you've got some ability to middle and inspect and potentially block malicious traffic that goes to those IP cameras. Make sure that any that are facing the Internet that you've done some cursory triage on because there's a very good chance that they've been compromised.
[07:20]
Dave Buettner
Yeah, it really seems like, you know, this is a product category that comes up time and time again that these, you know, these cameras are a soft target for some of these hackers here.
[07:32]
Andrew Morris
I mean, that's exactly right. So you've got to understand that these are, you know, Microsoft and the Linux foundation have done hundreds of millions of dollars of research and investment into securing their operating systems. So Microsoft obviously invests billions of dollars into securing Microsoft and Windows. Obviously Linux manufacturers or the Linux foundation invests quite a bit of time and energy into making sure that their kernels are up to date and are secure. But these devices, they can't run any of those operating systems. They're running a very stripped down old version of Linux. There's very limited hardware, which means there's no space for overhead, including some of these modern security features that prevent exploitation like this or even modern security features that allow detection and response. These devices are really hard to secure. I would argue they're impossible to secure. And this is going to continue to happen. There's very little that anybody can do about it, you know, so unfortunately that's just where we are.
[08:55]
Dave Buettner
We'll be right back. And now a word from our sponsor. Knowbefore it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35 vendor integrations and counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbe4.com SecurityCoach and we thank KnowBefore for sponsoring our show. Identity Architects and Engineers Modernize your identity systems with Strata. Integrate legacy apps with any idp, ensure seamless identity failover and apply MFA without touching app code. Strata offers robust, efficient identity management, reducing tech debt and enhancing security. Gain peace of mind and operational efficiency with Strada's comprehensive solutions. Visit Strada IO CyberWire. Share your biggest identity challenge and enjoy free AirPods Pro. Optimize your identity solutions today. Visit Strata IO CyberWire and our thanks to Strata for being a longtime friend and supporter of this podcast. I'd love to dig into some of the processes that you and your colleagues there at Greynoys use to differentiate malicious traffic from what I assume is a high volume of routine IoT network activity.
[11:44]
Andrew Morris
Yeah, so at Graynoise what we do is we operate a gigantic honeypot fleet. And so what that does is that that that gives us a tremendous amount of live reconnaissance and attack traffic that's happening across the whole Internet sort of all the time. And what that allows us to do is that allows us to get a sort of baseline of what, what normal looks like, what expected looks like. And then we can use that baseline to figure out which of our customers networks or any of our customers networks that are deviating really far beyond that basel it differently. We can give our customers the ability to identify targeted scanning and targeted attacks by actually subtracting out all of the Internet background noise that day. And that leads to a much cleaner signal for our customers. Does that make sense?
[12:39]
Dave Buettner
It does. And one of the things you highlighted in the research was that you took advantage of some AI capabilities for this detection. I'm curious, why do you suppose that previous security methods might have missed this kind of exploit? And how did AI increase your odds of finding it?
[12:59]
Andrew Morris
Oh yeah. I mean, so how other devices missed this, I mean it's very easy. How other technologies missed this is that this was an unknown software vulnerability. This was a zero day. There was no signature for this. There is no way that this could have possibly been sort of a rule could have been, you know, created on, on successful exploitation of this device. So that, that makes sense how AI assisted Us, we have a internal product at Granoise called Sift, which clusters network traffic and it surfaces net new traffic patterns. And at Granoise, every day we triage. I mean, we process over a billion events a day, every day. But inside of those billion events, we use AI to only surface the net new traffic patterns, which are only about 30 to 50 a day, usually less than 100 a day. And so that's a very manageable amount of data to triage as a human. And so we triage those net new traffic patterns that are created by Sift. And this was one of those net new traffic patterns that we'd never seen before. And then in investigating this, we determined that it was indeed a zero day vulnerability. And this was confirmed by manufacturers when we reached out to them as well.
[14:23]
Dave Buettner
How did the manufacturers respond? Again, with something fair to say, maybe a low margin product like a security camera. Do you find that they are responsive to you reaching out to them?
[14:37]
Andrew Morris
Yeah, I mean, the manufacturers that we worked with here were helpful. They were appreciative that we reached out to work with them. They stayed inside of the product. They didn't sort of like pull any kind of any of the scummier tricks that we see people pull during responsible disclosure. So overall, I mean, hats off to the manufacturer. Again, we still haven't really identified true root cause of this bug. There's a good chance that we're going to have to cut even more software vulnerabilities to get to the root of this. But yeah, the manufacturer was very responsive and, you know, and they were good to work with.
[15:11]
Dave Buettner
As we look forward here. How do you foresee the role of AI evolving within the industry to counteract these types of attacks?
[15:22]
Andrew Morris
Yeah, I mean, I think AI just helps us make big problems a little bit smaller. Any kind of problems of scale for things that people are struggling to wrap their hands around. There's still a lot of jobs that have to be done by a person right now that we've just not exactly figured out how to kind of AI around. But there's a lot of work that I think that humans do that machines are just better off to do. And I think that the future looks like us sort of shaking some of those things out. Someday we're going to realize how ridiculous it is that humans ever reviewed thousands and thousands of data entries in order to, you know, figure out which things to spend their time and energy looking at. That's something that just makes more sense for machines to do. So the way that I sort of picture it is a little bit like, you know, before the radar was invented, we had a lot of people and a lot of planes constantly, you know, surveying and patrolling 24 by 7 all the time. But then once the radar was invented, we didn't have to do that anymore because we had machines that were sort of very kind of 24 by 7 monitoring to see that nothing is happening and then alerting us when something does happen. And I really do think that that's the direction that we're going to be taking things with AI even more. And so I'm excited about that. I'm very, very hopeful for the future and how, you know, AI is going to ultimately help defenders be more secure and identify more big bad vulnerabilities before they can be used in dangerous attacks.
[17:14]
Dave Buettner
Our thanks to Andrew Morris from Greynoys for joining us. The research is titled GrayNoise Intelligence discovers zero day vulnerabilities in Live Streaming Cameras with the Help of AI. We'll have a link in the show notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes, were mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpie is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here next time.