It's pretty easy to hack into "off-the-shelf" devices, including ADSL routers and NAS storage devices, and South African businesses are just as vulnerable as international operations.
This was demonstrated by Reino Mostert, senior security analyst at Telspace Systems, speaking yesterday at ITWeb Security Summit 2016, at Vodacom World in Midrand.
Mostert ran a demo showing how he and Telspace Systems senior security analyst Robert Len hacked into both the Seagate BlackArmor NAS220 and the Telkom Pace 921 VNX router.
"We have tried communicating the problem to Telkom, but we haven't gotten a proper response back yet," said Mostert.
He noted that an attack does not need to be technologically complicated to have a severe impact.
"It highlights the fact that products that you buy in SA are vulnerable to attacks, as well as the fact that South African businesses that use these products are vulnerable," added Mostert.
He gave examples of how hacking into "junk" devices like connected kettles, smart LED lightbulbs and even connected toys could allow criminals to gain access to whole network systems, and ultimately extract whatever data they wish.
Len said these type of vulnerabilities end up hurting everyday South African businesses.
"Pretty much everyone from SMEs to large corporations have a NAS or a router. The research that Jacob Holcomb did found 50% of NAS were vulnerable, unauthenticated and easy to breach. This was in over 10 manufacturers tested," explained Len.
Mostert admitted some of these "junk hacks" can be trivial but they do begin to matter when they affect human lives. This includes examples of vulnerabilities in Bluetooth-enabled pacemakers, or hacking into connected cars and endangering human lives.
Another example was vulnerabilities found in HID Global's electronic door controller.
"It turns out the devices that are there to keep us safe are not so safe. They sit on the network, they have a management port open and they wait for commands. And there is one pretty innocuous command called the 'blink on command' that is vulnerable. Through command execution, you can send pretty much anything through and you can use it to lock everybody out or everybody in," added Len.
"These kind of attacks can be silly and sometimes they don't get the attention they deserve, or sometimes they get way too much attention. But they can be used to hurt people and they can be used to hurt businesses, so we do need to pay some attention to them," concluded Mostert.
Share