CyberWire Daily - Watching the watchers. IoT vulnerabilities exposed by AI. [Research Saturday]
Episode Date: December 14, 2024This week, we are joined by Andrew Morris, Founder and CTO of GreyNoise, to discuss their work on "GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of... AI." GreyNoise discovered two critical zero-day vulnerabilities in IoT-connected live streaming cameras, used in sensitive environments like healthcare and industrial operations, by leveraging its AI-powered detection system, Sift. The vulnerabilities, CVE-2024-8956 (insufficient authentication) and CVE-2024-8957 (OS command injection), could allow attackers to take full control of affected devices, manipulate video feeds, or integrate them into botnets for broader attacks. This breakthrough underscores the transformative role of AI in identifying threats that traditional systems might miss, highlighting the urgent need for robust cybersecurity measures in the expanding IoT landscape. The research can be found here: GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Yeah, so they were targeting pan, tilt, zoom IP cameras.
It's actually almost impossible to say exactly what model of pan, tilt, zoom camera they were targeting.
And these vulnerabilities allow an attacker to completely compromise an
IP camera, gain access to the device, pivot throughout it to the rest of the network,
establish persistence, or, you know, overwrite or insert or remove any kind of recorded media
that might be stored on the device. That's Andrew Morris, founder and chief technology officer at GrayNoise.
The research we're discussing today is titled GrayNoise Intelligence discovers zero-day vulnerabilities in live streaming cameras with the help of AI.
Yeah, so at Gray Noise, we operate a very large collector network,
a honeypot network on the internet that detects reconnaissance and exploitation traffic on the internet.
And what brought our attention to this is, I mean, we see in the wild cyber attacks every day, like literally millions of them a day, every day. And this was a very routine review of a traffic pattern that had
crossed our sensor fleet, which was surfaced by our AI called SIFT. And in triaging this vulnerability, trying to basically categorize
it as, you know, well, what is this? We realized that there was no disclosed vulnerability for it.
And so we went through a little bit of work and we identified what it was targeting and
what vulnerability was, and we disclosed it to the vendor.
Hmm. Well, let's walk through it together here. I mean, what exactly were they targeting,
and what do you suppose they were setting out to do?
Yeah, so they were targeting pan-tilt-zoom IP cameras. And it's actually almost impossible to
say exactly what model of pan-tilt-zoom camera they were targeting because the vulnerability
existed in several different IP cameras. The vulnerabilities, I should say, and these
vulnerabilities allow an attacker to completely compromise an IP camera, gain access to the device,
pivot throughout it to the rest of the network, establish persistence, or overwrite or insert
or remove any kind of recorded media that might be stored on the device, including disabling it.
So those are some of the things that the attacker can do.
Reading through the research, you noted that it would have been possible for them to
make the cameras part of a botnet as well?
That's exactly right. Yeah. I mean, so the vulnerabilities that we identified
lead to full camera takeover.
So that means that whatever the attacker wants to do with them,
they can do it with them.
And unfortunately, the vulnerability affects
multiple different models of camera
because it affects underlying firmware
that is actually white-labeled, so to speak, by a manufacturer. So it actually affects
multiple different models. Right. I was going to ask you about that. My understanding is that this
is an area where lots of different camera sellers will use the same parts under the hood.
And so that's how you end up with these vulnerabilities spread across multiple
brands and model numbers. That's exactly right. So, I mean, we identified the vulnerability,
and it seems that the vulnerability is in the underlying firmware. The firmware has been
licensed by multiple manufacturers. So we're still trying to kind of gauge the true impact of the bug.
And it's tough. It's a tough one. Yeah. Well, tell us about the actual vulnerabilities.
What were the shortcomings here?
Yeah, so there's two vulnerabilities
which combined together lead to full
sort of unauthenticated remote code execution.
The first vulnerability is insufficient input sanitization
and access control.
So basically, we're able to read a file or access a file
that we shouldn't be able to read and access.
And then there's another vulnerability,
which is an insufficient input validation
that leads to operating system command injection.
So we can reach a page that we shouldn't be able to reach,
and then we can use that page to inject malicious input, which leads to command injection on the camera.
I see. And what are your recommendations for folks to protect themselves here?
customer of the IP camera, if you're somebody who owns, who has purchased or operates any of these IP cameras, I'm going to recommend two things. The first is to patch as soon as humanly
possible. And then the second is to do some very mild triage to make sure that you haven't already
been compromised, which is to say maybe disconnect those devices and reboot them to factory settings
and then update the firmware.
Reflash them, reboot them, update them,
make sure to get them patched.
That's pretty much all you can do.
And then beyond that,
it's the balls in the court of the attacker,
or of the manufacturer, sorry.
And so really just make sure that you've got some ability to,
you know, if you can't patch for any reason,
just make sure that you've got some ability to middle
and inspect and potentially block malicious traffic
that goes to those IP cameras.
Make sure that any that are facing the internet
that you've done some cursory triage on
because there's a very good chance that they've been compromised.
Yeah, it really seems like this is a product category
that comes up time and time again,
that these cameras are a soft target for some of these hackers here.
I mean, that's exactly right.
So you've got to understand that these are,
you know, Microsoft and the Linux Foundation
have done hundreds of millions of dollars
of research and investment
into securing their operating systems.
So Microsoft obviously invests billions of dollars
into securing, you know securing Microsoft and Windows.
Obviously, Linux manufacturers or the Linux Foundation invests quite a bit of time and energy into making sure that their kernels are up to date and are secure.
But these devices, they can't run any of those operating systems.
They're running a very stripped down old version of Linux.
There's very limited hardware, which means there's no space for overhead,
including some of these modern security features that prevent exploitation like this,
or even modern security features that allow detection and response,
these devices are really hard to secure. I would argue they're impossible to secure.
And this is going to continue to happen. There's very little that anybody can do about it.
Um, you know, so unfortunately, that's just where we are.
So unfortunately, that's just where we are.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
I'd love to dig into some of the processes that you and your colleagues there at GrayNoise use to differentiate malicious traffic from what I assume is a high volume of routine IoT network
activity. Yeah, so at GrayNoise, what we do is we operate a gigantic honeypot fleet and so what that does
is that that that gives us a tremendous amount of of live reconnaissance and attack traffic
that's happening across the whole internet sort of all the time and what that allows us to do is
that allows us to get a sort of baseline of what normal looks like,
what expected looks like. And then we can use that baseline to figure out which of our customers'
networks or any of our customers' networks that are deviating really far beyond that baseline.
So stated differently, we can give our customers the ability to identify targeted scanning and targeted attacks
by actually subtracting out all of the internet background noise that day.
And that leads to a much cleaner signal for our customers.
Does that make sense?
It does.
And one of the things you highlighted in the research was that
you took advantage of some AI capabilities for this detection.
I'm curious, why do you suppose that previous security methods
might have missed this kind of exploit?
And how did AI increase your odds of finding it?
Oh, yeah.
I mean, so how other devices missed this,
I mean, it's very easy how other technologies missed this,
is that this was an unknown software vulnerability. This was a zero day. There was no signature for this.
You know, there is no way that this could have possibly been sort of, a rule could have been,
you know, created on successful exploitation of this device. So that makes sense.
How AI assisted us, we have an internal product at GrayNoise called SIFT,
which clusters network traffic
and it surfaces net new traffic patterns.
And at GrayNoise every day, we triage,
I mean, we process over a billion events a day, every day.
But inside of those billion events,
we use AI to only surface the net new
traffic patterns, which are only about 30 to 50 a day, usually less than 100 a day. And so that's a
very manageable amount of data to triage as a human. And so we triage those net new traffic
patterns that are created by SIFT. And this was one of those net new traffic patterns that are created by SIFT.
And this was one of those net new traffic patterns that we'd never seen before.
And then in investigating this, we determined that it was indeed a zero-day vulnerability.
And this was confirmed by manufacturers when we reached out to them as well.
And how did the manufacturers respond?
And how did the manufacturers respond?
You know, again, with something,
it's fair to say maybe a low margin product like a security camera,
do you find that they are responsive
to you reaching out to them?
Yeah, I mean, the manufacturers
that we worked with here were helpful.
You know, they were appreciative
that we reached out to work with them.
They stayed inside of the promised timelines.
They didn't sort of like pull any kind of,
any of the scummy or tricks that we see people pull during responsible disclosure. So overall,
I mean, hats off to the manufacturer. Again, we still haven't really identified true root cause
of this bug. There's a good chance that we're going to have to cut even more software vulnerabilities
to get to the root of this. But yeah, the manufacturer was very
responsive and, you know, and they were good to work with. As we look forward here, how do you
foresee the role of AI evolving within the industry to counteract these types of attacks?
Yeah, I mean, I think AI just helps us make, you know make big problems a little bit smaller. Any kind of problems of scale for things that people are struggling to wrap their hands around.
There's still a lot of jobs that have to be done by a person right now that we've just not exactly figured out how to AI around.
But there's a lot of work that I think that humans do that machines are just better off to do.
And I think that the future looks like us sort of shaking some of those things out.
Someday we're going to realize how ridiculous it is that humans ever reviewed thousands and thousands of, you know, of data entries in order to, you know,
figure out which things to spend their time and energy looking at. That's something that just
makes more sense for machines to do. So the way that I sort of picture it is a little bit like,
you know, before the radar was invented, we had a lot of people and a lot of planes constantly surveying and patrolling 24 by 7 all the time.
But then once the radar was invented, we didn't have to do that anymore because we had machines that were 24 by 7 monitoring
to see that nothing is happening
and then alerting us when something does happen.
And I really do think that that's the direction
that we're going to be taking things with AI even more.
And so I'm excited about that.
I'm very, very hopeful for the future
and how AI is going to ultimately help defenders be more secure and identify more
big, bad vulnerabilities before they can be used in dangerous attacks.
Our thanks to Andrew Morris from GrayNoise for joining us. The research is titled,
GrayNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras
with the Help of AI. We'll have a link in the show notes.
And that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the
rapidly changing world of cybersecurity. If you like our show, please share a rating and review
in your favorite podcast app. Please also fill out the survey in the show notes or send an email to
cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the
most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your team smarter.
Learn how at N2K.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time. Thank you.