The Internet of Things (IoT) revolves around machine-to-machine communication, and it’s growing exponentially. Sure, it sounds like a great idea when we can use smart devices to connect to the Internet at a moment’s notice. However, most consumers don’t fully understand the security vulnerabilities.

 Let’s take a look at EZCast. It’s an HDMI dongle-based TV streamer that converts your regular TV into a smart TV and allows you to connect to the Internet and other media. It’s controlled through your smartphone device or your PC. With this dongle, you can easily connect your TV with your PC to view and transfer videos, photos, music and files.

 

 Getting in is easy – Since the EZCast dongle runs on its own Wi-Fi network, entering the network is actually quite easy. This network is secured only by an 8-digit numeric password, which can be easily cracked. Check Point conducted a successful brute-force attack which allowed us gain full unauthorized access to the network.

Check Point researchers also found it quite easy to use Social Engineering to gain additional network access. An attacker can send the user a link through most messaging services, such as email, Facebook and Skype.

 

 So, why should I worry? Well, just about anything and everything stored on your home network is now completely exposed. This could include tax returns, bank statements, credit cards and personal health information. Identity theft could happen in an instant.

 

 Ok, tell me more – Check Point researchers uncovered the EZCast vulnerabilities earlier this year. Check Point has reached out to EZCast several times to alert them of our findings. As of this time, no updates or responses have been provided.

The EZCast device was never designed with security in mind. Check Point was able to uncover a number of critical vulnerabilities, and we barely scratched the surface. Would you sell access to your network for $25 dollars? Because that’s what you’re essentially doing when you buy and use this device.

Security for IoT should be raised to the same levels we expect and take for granted in computer security. As researchers, we can help to improve IoT security by reporting vulnerabilities to the associated vendors. Vendors themselves should be aware of the information security aspect at the time when new IoT devices are still at the product design stage. This is crucial to avoid introducing security flaws such as the ones we detailed in this blog.

EZCast is currently used by approximately 5 million users. Are you one of them?

 

EZCast_Report_Check_Point

Capture

 


  1. “The EZCast device was never designed with security in mind. We were able to uncover a number of critical vulnerabilities, and we barely scratched the surface. Would you sell a root shell in your network for $25 dollars? Because that’s what you’re essentially doing when you buy and use this device.”

  2. I think this has since been fixed. I can’t reproduce the two vulnerabilties with the MiraScreen5G. The cgi-bin directory is still browsable tho. And there are now 4 upload.cgi scripts….

Comments are closed.