Researchers have uncovered two critical vulnerabilities in the TV-streaming EZCast device that can lead to remote code execution, and point to more general weaknesses in Internet of Things (IoT) security.
EZCast is an HDMI dongle-based TV streamer that is both remote-free and cross-platform (running on Android, iOS, Mac, and Windows). The device enables a user to stream media content from the web or their mobile device onto a television.
According to Google Play, the EZCast app has been downloaded by as many as five million users.
Check Point Software Technologies has issued a report in which its researchers explain how they were able to hack the EZCast dongle. As it turns out, it was relatively easy to get in.
“Entering the network via the dongle was extremely easy, as the device runs its own Wi-Fi network. This network is secured only by an 8 (numeric) digit password with WPS enabled by default (and is easily cracked). A successful brute-force attack on WPS allows unauthorized parties to gain access to the network.”
Check Point’s researchers go on to explain that malicious actors could also use two other attack vectors, the web (dependent on the user’s settings) and a social engineering attack via email/Facebook/Skype etc…, to gain access to the device.
Once inside, Check Point’s researchers found that the device created a bridge to the user’s Wi-Fi network. In order to remain persistent in the network, they then loaded up the device’s firmware and searched through the available file system.
Before long, the researchers had discovered two critical vulnerabilities. The first was in a file called “upload.cgi” that allows an attacker to upload a malicious CGI file anywhere on the device disk, including to the cgi-bin directory.
“This will fully compromise the device and enable us to stay persistent (once again, without requiring authentication),” the researchers observe.
The second critical vulnerability involves the use of a file called “windir.cgi,” which accepts IP addresses, usernames, and passwords under one GET parameter, to remotely inject code into the device.
A proof-of-concept attack developed by the researchers revealed that they could remotely inject a shell command into the device’s system() function and produce the string “root”.
“This research provides a glimpse of what will be the new normal in 2016 and beyond – cyber criminals using creative ways to the exploit the cracks of a more connected world,” said Oded Vanunu, security research group manager, Check Point, reported CNN Money. “The Internet of Things trend will continue to grow, and it will be important for consumers and businesses to think about how to protect their smart devices and prepare for the wider adoption of IoT.”
Check Point says that it first informed EZCast of the security vulnerabilities in July 2015, but received no response. It tried again in August 2015, but still received no response. Frustrated by the lack of communication, tthe researchers have now decided to go public and conclude their report in damning fashion:
“The EZCast device was never designed with security in mind. We were able to uncover a number of critical vulnerabilities, and we barely scratched the surface. Would you sell a root shell in your network for $25 dollars? Because that’s what you’re essentially doing when you buy and use this device.”
They go on to urge researchers and IoT security vendors to work together to not only report vulnerabilities but also design devices like EZCast with security in mind.
I could not agree more. Blind enthusiasm for “smart” everythings continues to play a major role in driving the Internet of Things. We as security personnel need to treat IoT as something that can be actively exploited.
Here is a video by Graham Cluley, describing the threat posed by insecure Internet of Things devices:
If we keep an eye out for vulnerabilities, the onus will shift to vendors to either keep security in mind or risk ridicule at the hands of a customer breach. It begins with us, but the choice is ultimately theirs.
The fact they could remotely call system() is … scary and unthinkable. It's also blatant disregard for security (granted bugs are a consequence of human mistake but there are some mistakes that really shouldn't happen and this is one of them).
'Before long, the researchers had discovered two critical vulnerabilities. The first was in a file called "upload.cgi" that allows an attacker to upload a malicious CGI file anywhere on the device disk, including to the cgi-bin directory.'
This is going to sound to many people incredibly petty and extremely pedantic but: finally someone who calls it a 'directory'! (And to the people who dismiss this view I have this to say: Microsoft used to call it 'directories' too – if I recall correctly, Windows 9x was the first to name it 'folder' and this is why even that DOS has the command 'dir' and not 'fol' or some ridiculous name).
Windows NT (you probably refer to it as "Windows 10," now) still has a "dir" command. That has never changed. Nor has the "cd" command in Windows ever changed (short for "change directory"). What does the nomenclature of "folder" vs "directory" have to do with anything, anyway? Also, I'm pretty sure the Apple Mac was referring to "folders" rather than "directories" before Windows was doing so. "Folder" represents a paradigm that means more to the average ape than "directory" does, so I have no issue with it. I'm what you call an expert, so I'm free to call it by its "expert" name and use commands on it that most computer users might not even know exist.
Of course the author referred to the cgi-bin directory as a directory, since this little ezcast device is running Linux and they were able to hack into it and move around the file system using Unix/Linux shell commands, where directories are called directories. The appelation "directory" itself is just a convention. They could have just as easily been called "folders" or "buckets" in the beginning.
Hoping there won't be the same issues with Chromecast
EZCast team has noted the report : http://blog.checkpoint.com/wp-content/uploads/2015/12/EZCast_Report_Check_Point.pdf and we welcome all comments, advices and suggestions from users and organizations. Based on them, EZCast team can keep on improving to make EZCast better for our users.
Security is always our top priority and this is also why EZCast access point adopts WPA2, the highest security level as the premium home router has. Consequently, we will take further actions in our coming firmware update to increase the security level and improve the issues that Check Point has highlighted. Before the next firmware update, EZCast users can take the following configurations, which already exist in the dongle's setting, to make EZCast dongle more resilient to hackers’ attacks.
1. EZCast suggests users to change the password, combining with numbers, alphabets and special symbols, for higher security level. Similar to the home router, complex and frequently changing password enhances the security.
2. EZCast allows users to configure the dongle to be "Via router only." For this configuration, the only way to access the dongle is through the home router. This makes EZCast be able to hide behind the protection of home network security.
EZCast team would like to thank Check Point’s report for reminding our weakness of the network security. For the apps and devices serving more than 3 million users globally, it’s our responsibility to keep improving the security of our products and services. The safer, the happier casting.
EZCast, Happy Casting
EZCast team has noted the report : http://blog.checkpoint.com/wp-content/uploads/2015/12/EZCast_Report_Check_Point.pdf and we welcome all comments, advices and suggestions from users and organizations. Based on them, EZCast team can keep on improving to make EZCast better for our users.
Security is always our top priority and this is also why EZCast access point adopts WPA2, the highest security level as the premium home router has. Consequently, we will take further actions in our coming firmware update to increase the security level and improve the issues that Check Point has highlighted. Before the next firmware update, EZCast users can take the following configurations, which already exist in the dongle's setting, to make EZCast dongle more resilient to hackers’ attacks.
1. EZCast suggests users to change the password, combining with numbers, alphabets and special symbols, for higher security level. Similar to the home router, complex and frequently changing password enhances the security.
2. EZCast allows users to configure the dongle to be "Via router only." For this configuration, the only way to access the dongle is through the home router. This makes EZCast be able to hide behind the protection of home network security.
EZCast team would like to thank Check Point’s report for reminding our weakness of the network security. For the apps and devices serving more than 3 million users globally, it’s our responsibility to keep improving the security of our products and services. The safer, the happier casting.
So EZCast, I see you are no longer searchable in the apple App Store. Is this because you have adequately upgraded the security of your devices or should I skip using this new "USB to HDMI/VGA Adapter" that I got on Amazon for $25. I'm going to send this back based on the very poor reputation you have for security unless I get a response back to me right here in 72 hrs. I notice your manual that comes with the product instructing me to "Download the EZCast software from www.ezcast.com" and the manual goes into painstaking detail on how I should bypass the built-in features of my iMac in order to allow me to haphazardly download anything that might be malicious in its unfiltered form and completely fails to address how I should set up my network with security features in mind to be "Via router only" allowing EZCast to "be able to hide behind the protection of home network security". Please provide me detailed instructions on how to do that part of the process instead of completely neglecting to mention it in this "manual". I feel utterly ripped off, and I might just send this back before your deadline. Clock's ticking. Isn't there some way you can fix the problem of needing to blatantly disregard apple's security. Don't misunderstand me; I know keeping up with those changes are a royal pain in the ass especially since Big Sur, but if you want to continue on with a very tarnished reputation just keep doing things how you have been doing them. I saw rave reviews about the function of this product, but I'm not going there without solid evidence the Swiss cheese holes in security have been melted down into a sticky web of prevention of all the negative things I am reading about your company. I'm sure you are financially doing fine potentially hacking into everyone's computers in present state, but I suggest you do something reputable and fix the problem everyone comments about in the hype about this being a 25 dollar sale into hacking my computer. You can probably do better than that considering your product is doing stuff for remote screen mirroring / broadcasting than the competition. I don't need this screen THAT badly. My iMac is more valuable, and certainly my personal data and things I desire not to have ripped off due to identity theft. Sorry, but I just voted NO on keeping this. Also in response to the 2016 comment above about 3 million users globally and your "responsibility"…show me how you have corrected the problem please. I will await a response, but I'm highly confident I am wasting my time.
iMac and 43' HDTV owner who is remaining disconnected after a 1 min. web search on your product,
Me