Flawed EZCast media streamer can let hackers run malware on your home network

EzcastResearchers have uncovered two critical vulnerabilities in the TV-streaming EZCast device that can lead to remote code execution, and point to more general weaknesses in Internet of Things (IoT) security.

EZCast is an HDMI dongle-based TV streamer that is both remote-free and cross-platform (running on Android, iOS, Mac, and Windows). The device enables a user to stream media content from the web or their mobile device onto a television.

According to Google Play, the EZCast app has been downloaded by as many as five million users.

EZCast

Check Point Software Technologies has issued a report in which its researchers explain how they were able to hack the EZCast dongle. As it turns out, it was relatively easy to get in.

"Entering the network via the dongle was extremely easy, as the device runs its own Wi-Fi network. This network is secured only by an 8 (numeric) digit password with WPS enabled by default (and is easily cracked). A successful brute-force attack on WPS allows unauthorized parties to gain access to the network."

Check Point's researchers go on to explain that malicious actors could also use two other attack vectors, the web (dependent on the user's settings) and a social engineering attack via email/Facebook/Skype etc..., to gain access to the device.

Once inside, Check Point's researchers found that the device created a bridge to the user's Wi-Fi network. In order to remain persistent in the network, they then loaded up the device's firmware and searched through the available file system.

Before long, the researchers had discovered two critical vulnerabilities. The first was in a file called "upload.cgi" that allows an attacker to upload a malicious CGI file anywhere on the device disk, including to the cgi-bin directory.

"This will fully compromise the device and enable us to stay persistent (once again, without requiring authentication)," the researchers observe.

Code

The second critical vulnerability involves the use of a file called "windir.cgi," which accepts IP addresses, usernames, and passwords under one GET parameter, to remotely inject code into the device.

A proof-of-concept attack developed by the researchers revealed that they could remotely inject a shell command into the device's system() function and produce the string "root".

Proof-of-concept attack

"This research provides a glimpse of what will be the new normal in 2016 and beyond - cyber criminals using creative ways to the exploit the cracks of a more connected world," said Oded Vanunu, security research group manager, Check Point, reported CNN Money. "The Internet of Things trend will continue to grow, and it will be important for consumers and businesses to think about how to protect their smart devices and prepare for the wider adoption of IoT."

Check Point says that it first informed EZCast of the security vulnerabilities in July 2015, but received no response. It tried again in August 2015, but still received no response. Frustrated by the lack of communication, tthe researchers have now decided to go public and conclude their report in damning fashion:

"The EZCast device was never designed with security in mind. We were able to uncover a number of critical vulnerabilities, and we barely scratched the surface. Would you sell a root shell in your network for $25 dollars? Because that’s what you're essentially doing when you buy and use this device."

They go on to urge researchers and IoT security vendors to work together to not only report vulnerabilities but also design devices like EZCast with security in mind.

I could not agree more. Blind enthusiasm for "smart" everythings continues to play a major role in driving the Internet of Things. We as security personnel need to treat IoT as something that can be actively exploited.

Here is a video by Graham Cluley, describing the threat posed by insecure Internet of Things devices:

If we keep an eye out for vulnerabilities, the onus will shift to vendors to either keep security in mind or risk ridicule at the hands of a customer breach. It begins with us, but the choice is ultimately theirs.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , ,

5 Responses

  1. coyote

    January 8, 2016 at 12:35 am #

    The fact they could remotely call system() is … scary and unthinkable. It's also blatant disregard for security (granted bugs are a consequence of human mistake but there are some mistakes that really shouldn't happen and this is one of them).

    'Before long, the researchers had discovered two critical vulnerabilities. The first was in a file called "upload.cgi" that allows an attacker to upload a malicious CGI file anywhere on the device disk, including to the cgi-bin directory.'

    This is going to sound to many people incredibly petty and extremely pedantic but: finally someone who calls it a 'directory'! (And to the people who dismiss this view I have this to say: Microsoft used to call it 'directories' too – if I recall correctly, Windows 9x was the first to name it 'folder' and this is why even that DOS has the command 'dir' and not 'fol' or some ridiculous name).

    • C in reply to coyote.

      October 25, 2017 at 10:58 pm #

      Windows NT (you probably refer to it as "Windows 10," now) still has a "dir" command. That has never changed. Nor has the "cd" command in Windows ever changed (short for "change directory"). What does the nomenclature of "folder" vs "directory" have to do with anything, anyway? Also, I'm pretty sure the Apple Mac was referring to "folders" rather than "directories" before Windows was doing so. "Folder" represents a paradigm that means more to the average ape than "directory" does, so I have no issue with it. I'm what you call an expert, so I'm free to call it by its "expert" name and use commands on it that most computer users might not even know exist.

      Of course the author referred to the cgi-bin directory as a directory, since this little ezcast device is running Linux and they were able to hack into it and move around the file system using Unix/Linux shell commands, where directories are called directories. The appelation "directory" itself is just a convention. They could have just as easily been called "folders" or "buckets" in the beginning.

  2. Stephane

    January 8, 2016 at 2:36 pm #

    Hoping there won't be the same issues with Chromecast

  3. Stanley

    March 11, 2016 at 8:57 am #

    EZCast team has noted the report : http://blog.checkpoint.com/wp-content/uploads/2015/12/EZCast_Report_Check_Point.pdf and we welcome all comments, advices and suggestions from users and organizations. Based on them, EZCast team can keep on improving to make EZCast better for our users.

    Security is always our top priority and this is also why EZCast access point adopts WPA2, the highest security level as the premium home router has. Consequently, we will take further actions in our coming firmware update to increase the security level and improve the issues that Check Point has highlighted. Before the next firmware update, EZCast users can take the following configurations, which already exist in the dongle's setting, to make EZCast dongle more resilient to hackers’ attacks.

    1. EZCast suggests users to change the password, combining with numbers, alphabets and special symbols, for higher security level. Similar to the home router, complex and frequently changing password enhances the security.

    2. EZCast allows users to configure the dongle to be "Via router only." For this configuration, the only way to access the dongle is through the home router. This makes EZCast be able to hide behind the protection of home network security.

    EZCast team would like to thank Check Point’s report for reminding our weakness of the network security. For the apps and devices serving more than 3 million users globally, it’s our responsibility to keep improving the security of our products and services. The safer, the happier casting.

    EZCast, Happy Casting

  4. stanley

    March 11, 2016 at 8:59 am #

    EZCast team has noted the report : http://blog.checkpoint.com/wp-content/uploads/2015/12/EZCast_Report_Check_Point.pdf and we welcome all comments, advices and suggestions from users and organizations. Based on them, EZCast team can keep on improving to make EZCast better for our users.

    Security is always our top priority and this is also why EZCast access point adopts WPA2, the highest security level as the premium home router has. Consequently, we will take further actions in our coming firmware update to increase the security level and improve the issues that Check Point has highlighted. Before the next firmware update, EZCast users can take the following configurations, which already exist in the dongle's setting, to make EZCast dongle more resilient to hackers’ attacks.

    1. EZCast suggests users to change the password, combining with numbers, alphabets and special symbols, for higher security level. Similar to the home router, complex and frequently changing password enhances the security.

    2. EZCast allows users to configure the dongle to be "Via router only." For this configuration, the only way to access the dongle is through the home router. This makes EZCast be able to hide behind the protection of home network security.

    EZCast team would like to thank Check Point’s report for reminding our weakness of the network security. For the apps and devices serving more than 3 million users globally, it’s our responsibility to keep improving the security of our products and services. The safer, the happier casting.

Leave a Reply