The increase in the use of technological implementations such as smart speakers, in conjunction with the growing need to use videoconferencing platforms, has resulted in the emergence of new security risks related to Internet of Things (IoT) technology. In a recent investigation, Grimm experts managed to hack a Steam Audio Table smart speaker to demonstrate the risks inherent in the processors built into these devices.
“Any user might think that these devices are made up of very basic components; in fact, they are complex machines with extensive functionalities, which allow the appearance of a wide attack surface,” says the research.
During the analysis of the device, the researchers discovered that they could carry out a remote code execution attack, which would allow them to evade the security mechanisms on the device and spy on the chat and video call sessions of the compromised users. Apparently, this fault exists because of a stack-based buffer overflow.
Experts also discovered a command injection flaw that exists due to insufficient disinfection of user-supplied inputs. It is important to mention that the flaws were corrected in the most recent Stem Audio update. A control interface authentication vulnerability and various weaknesses in encryption were also discovered during testing in Stem Audio Table. All problems identified were reported to Shure, owner of the Stem brand.
Grimm experts say these flaws are very common in IoT devices: “Although Stem has already addressed these issues, the flaws identified in this process follow similar patterns to those discovered in other similar devices, which could put at risk some videoconferencing sessions, VoIP tools, internet-connected cameras and other IoT devices.”
As a security measures, organizations can protect themselves by following very simple mitigations, such as disconnecting devices when they are not in use and connecting them through USB workstations instead of connecting them to the enterprise network, advise the experts at Grimm.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.