EZCast TV Streaming Dongle Leaves Home Networks Wide Open to Hackers
In a plot point worthy of CSI: Cyber, the EZCast TV streaming device has been found to have a vulnerability that enables hackers to gain access to entire home networks.
EZCast, which has three million users globally, is an HDMI TV streaming dongle that essentially converts a regular TV into a smart TV. An analogue to Google Chromecast (but far less expensive—it goes for just £14.95 in the UK), it allows users to stream (or “cast”) content from a phone or tablet to a TV wirelessly. So, users can dial up a YouTube video on a phone, and stream it to a TV for wide-screen viewing in the living room. It also supports a range of third-party gaming and over-the-top (OTT) video apps, and allows users to easily connect the TV to a PC to transfer videos, photos, music and files.
Sounds great, right? And it is, except for the fact that the EZCast dongle runs on its own Wi-Fi network, which is secured only by an 8-digit numeric password. And that, of course, can be easily cracked.
Security firm Check Point in fact conducted a successful brute-force attack on the device, which allowed researchers to gain full unauthorized access to the user’s network. They were also easily able to use social engineering to gain additional network access, by sending the user a malicious link through messaging services like email, Facebook and Skype.
Once the Wi-Fi network is cracked, attackers can gain easy access into both the device and connected home networks—and once in, they can move around the networks undetected, providing the ability to view confidential information and infect other home devices with malware. The attacks also can be initiated remotely; meaning that hackers can execute malicious code from anywhere.
So, in short, the vulnerabilities leave all information stored on personal networks exposed to possible theft, including tax returns, bank statements, credit cards and other sensitive personal information, making the EZCast device a potentially lucrative attack vector for identity theft for cyber-criminals. It also leaves home PCs and mobile devices open to botnet infections, ransomware attacks and the like.
The Check Point team warned that to nutshell it, EZCast users and potential customers would essentially be selling access to their network for the cost of the device.
The situation is yet further evidence of internet of things (IoT) security risks coming to the fore. All too often, connected devices aren’t built with security best practices in mind, despite the fact that they can act as wide portals to consumers’ digital lives.
“This research provides a glimpse of what will be the new normal in 2016 and beyond—cyber-criminals using creative ways to exploit the cracks of a more connected world,” said Oded Vanunu, security research group manager, Check Point, in a blog. “The internet of things trend will continue to grow, and it will be important for consumers and businesses to think about how to protect their smart devices and prepare for the wider adoption of IoT.”
The Check Point team uncovered a number of critical vulnerabilities in the device earlier this year, leading them to the conclusion that the device was never designed with security in mind. The firm said that it has reached out to EZCast several times since the discovery to alert it of the findings, but has thus far not received a response. EZCast did not immediately respond to Infosecurity’s request for comment on the matter.
Photo © Sakowboon Sansri
Source: Information Security Magazine