Many IoT devices run embedded Linux distributions with Bash

I’m not trying to perform a Chicken Little, but outside of corporate data centers, where the average home owner with some cool computerized toys who doesn’t perform regular updates, is very vulnerable and prone to privacy loss. Some devices are subject to abuse.
infosecchickenlittle

  • Here are some items in the modern house that could be running the bash shell.
  • Bluetooth/NFC door locks.
  • Home thermostat
  • Home security systems
  • Baby monitors
  • Smart Fridges

Some of these items can be exploited. Doors unlocked, thermostats messed with at all hours of the day or night. Video feed from Internet connected cameras from security systems and baby monitors put onto a website open to the public. See article Lights, Camera, Hacktion, which can lead to literal nightmares.

The smart fridges have more capability though, leading to stronger types of exploits and abuse that could place an individual into an investigation, and even slander them. Smart fridges that are vulnerable, have been used in the past to perform spam and phishing attacks, See article The Internet of Things. Since they are more robust, they can be more vulnerable. Though I can’t confirm if the fridges are running bash, but they are vulnerable to user configurations… especially if they don’t get patched. What if someone used a fridge in a spam attack. No big deal for a consumer. They patch and move on. But what if destructive malware was uploaded? Or the fridge was converted into a piracy server? Even worse, what if it turns into a Child Pornography server?

Possible ramifications to the fridge owner can deal with public humiliation and spending time on reputation repair.

A lot of this post is speculation, but I strongly believe that these threats can be realized. Bash being exploitable is very dangerous and proper measures should be taken.

This entry was posted in Security Blog and tagged , , , , . Bookmark the permalink.