Thinking outside the box
McAfee worked with UK company iParcelBox to uncover a serious security flaw in its smart delivery box that it was only able to discover because of an inadvertent data leak by a developer.
The iParcelBox is an internet-connected steel box that couriers or neighbours can access to deliver items securely without needing to enter a user’s home.
As demonstrated in the above video, package couriers press a button on the device, which sends an ‘open’ request push notification on the owner’s mobile device that they can either accept or deny.
The iParcelBox unit only has three external vectors: remote cloud APIs, WiFi, and a single physical button.
Security researchers from McAfee were able to compromise the system by leveraging open source intelligence (OSINT), or publicly available information, rather than finding and abusing software vulnerabilities in the IoT device itself.
Sam Quinn, a security researcher on McAfee’s Advanced Threat Research team, explains in a blog post: “This project took a turn from a classic hardware/IoT device research project to an OSINT research topic very early on.
“It really goes to show that even simple mistakes with online data hygiene could expose key details to attackers allowing them to narrow down attack vectors or expose sensitive information like credentials”
While looking for info on the device’s firmware, the McAfee team discovered a large log file containing what seemed like the iParcelBox’s boot procedure.
It turned out that the primary developer for the product was unintentionally putting the product at risk with online posting. The information included admin credentials, as well as a GitHub token.
The uncovered data resulted in access to internal design configurations, providing the McAfee team access to any and all iParcelBox devices worldwide, including the ability to unlock any device without permission.
The researchers also found that the iParcelBox developers implemented numerous security concepts into their product, which is uncommon for IoT devices.
The organization was able to fix the issues uncovered by McAfee by changing the admin password for every iParcelBox and asking the developers at Mongoose-OS to implement a change so that one device’s AWS certificate and private key cannot control any other device.
The vendor also fixed a set of lesser security flaws uncovered during the research, including the Android application’s failure to pin certificates properly, along with the removal of direct calls to the DynamoDB.
UK-based iParcelBox proactively reached out to McAfee after seeing the security company’s previously released research on BoxLock, a similar technology.
iParcelBox requested research analysis on its product in order to uncover product security issues and ultimately protect consumers in the future.