This Week In Exploits Logo

This Week in Exploits: A Cuppa IoT with Your Security?

There’s no bigger buzzword in the security world now than the ‘Internet of Things.’ The Internet of Things, or IoT, is the connectedness of everyday devices and sensors to allow the quantification and control of systems. Video doorbells alert wayward homeowners of visitors. Bluetooth fobs connect car keys to smartphones. Thermostats track heating and cooling preferences to select a tailored temperature for a homeowner.

Unfortunately, the design complexity of a previously unconnected device now given intelligence and network access can lead to unforeseen issues and real-world consequences. Therefore the security of IoT devices must be a consideration and, ideally, a foundational characteristic in their design. Without ‘baked-in’ security, IoT devices that control home automation or collect health data stored in the cloud could be vulnerable to interception, web attacks like cross site scripting and SQL injection, and attacks yet unforeseen.

We have a tangential example of IoT insecurity from the SiteLock offices we’d like to share this week. For when the manager is on travel, the researchers will appropriate the keys to the coffee machine and scribble on the drink selection interface.

The SiteLock Research Team have long yearned to hack the fancy coffee machine that management graciously provides. The machine grinds coffee fresh, makes decent espresso, and has a wide selection of hot drinks for caffiends and abstainers alike.

We saw no Ethernet cable from the machine and verified with IT it had no wireless capabilities. Physical access it was. We tried numerous ‘secret’ button presses on the touch screen to try to bring up an administrative interface with no luck. We would have to open up the machine.

We could have simply asked for keys and got them though we decided to maximize fun and surprise and perform the hack while the boss was away. With keys in hand we opened the machine and were greeted with a service menu and Login button. The Login button brought up a 10-key interface looking for a four-digit passcode. Seconds later ‘1111’ brought us to the Level 1 menu.

Level 1 provided machine info though not what we wanted — access to images. We correlated the passcode of ‘1111’ to Level 1 and tried to log in again with ‘2222’ to get the Level 2 menu. ‘2222’ didn’t work, though ‘3333’ did. ‘4444’ and ‘6666’ brought us to respective menus, each with the previous menu’s capabilities and more sensitive actions added on, like payment and temperature settings.

Level 2 Menu

Level 2 Menu

Level 2 gave us what we needed, the ‘Images’ menu. With it we were able to add an image from a mounted flash memory drive via the internal USB port. Mission accomplished.

Haxed by SiteLock

Haxed by SiteLock

We decided to dig a bit deeper and download the config file via the ‘Software configurations’ menu. With config in hand we ran a simple strings on the file and found all of the passcodes in plaintext at the end of the file.


Strings Output

Strings Output

This doesn’t seem like an Internet of Things device at all, let alone a hack on one. Until you find out the manufacturer offers wired and wireless communications and telemetry solutions for this and other models. Substitute absconding with keys with network access and a browser or command prompt, and the coffee machine becomes an IoT device that might be hacked with less effort and lower rate of detection.

It’s likely many TWiE readers already have IoT devices in their homes and on their wrists. Manufacturers are sure to improve security by design in IoT devices. Until that time, consider what data IoT devices collect, where they connect to, and what data is possibly transmitted. If firmware or other device updates are available, apply the updates as soon as possible.

Will there be a perfect, secure world where IoT devices adapt your surroundings in real-time based on your location, preferences, and well-being? Not yet. Though the scenario is more attainable every day. Will SiteLock scanners, like INFINITY, begin to scan IoT devices like they do websites now? Time will tell.

filing taxes

Learn How to Protect Your Tax Refund from Hackers

Filing for your taxes can be a nuisance, but the refund you receive is well worth the effort, especially if you have big plans for your tax credit. But how would you feel if your refund check was stolen?

This year, SiteLock is partnering with for Safer Internet Day on February 9th. We all play a role in creating a safe Internet experience, and you can do your part by safely filing your taxes.

Last year, an experienced group of hackers broke into the IRS’ database and gained access to the personal information of over 100,000 taxpayers. This information included taxpayers’ Social Security numbers, addresses, and salaries. The cybercriminals were able to collect nearly 15,000 tax refunds, costing the IRS a whopping $50 million.

Protecting Your Tax Refund

Hackers often pose as the IRS and use phishing emails to trick taxpayers and tax preparers. These emails are designed to steal sensitive information, such as taxpayers’ data or tax preparers’ IRS account passwords. Victims may receive a seemingly legitimate email and download a malicious file attachment. From there, the attacker is able to steal information by logging the victim’s keystrokes.

Identifying these types of emails and keeping your information secure is possible. Here are a couple tips to help.

1. Learn how to recognize phishing emails from criminals posing as legitimate organizations, such as the IRS, banks or credit card companies. Never click on links or download attachments from unknown or suspicious emails.

2. Ask your accountant about their website security, especially if you are providing your information through their site. Cybercriminals know how to hide malware deep in a website’s source code. You can verify a website’s security status by looking for a security badge on their homepage.

3. Monitor your accounts for fraudulent charges. Typically, hackers who steal financial information will test the victim’s data before making a large purchase. Make sure to double-check your bank statements on a regular basis for any unusual charges.

For more information on Safer Internet Day, click here.

For more information on malware, click here.


This Week In Exploits Logo

Authentication Failure in File Browser, Manager, Backup (+ Database) WordPress Plugin

While reviewing malware, the SiteLock Research Team detected suspicious code in a WordPress plugin. We reviewed the suspicious code and found the plugin wasn’t malicious per se, though it was potentially vulnerable to attack. We will discuss the plugin and analyze its unique authentication issues, and then discuss mitigation and the dangers of using unsupported plugins.

Visit for the full story.

This Week In Exploits Logo

This Week in Exploits: A Brief Survey of Fake WordPress Plugins

In this week’s installment of TWiE, we’ll discuss how fake plugins get on to WordPress sites, analyze a well known fake plugin to provide a sense of what they can do, look at a non-exhaustive list of fake plugins and a couple of interesting features, and discuss ways to avoid being victimized by fake plugins.

Read the full story at our WordPress microsite

online privacy

Privacy Matters – Expect It. Respect It. Protect It.

Data Privacy Day (DPD) is an international effort held annually on January 28 to create awareness around the importance of privacy and protecting personal information. SiteLock has committed to being a DPD Champion to acknowledge and bring attention to the value and importance of privacy. This year, Data Privacy Day is all about respecting privacy, safeguarding data and enabling trust.

Respecting Privacy
Every time a customer visits your website, you’re collecting their data. When that customer buys something from your website, you’re collecting even more personal data. Many of these customers don’t know exactly how their information is being used. When a security breach occurs, these customers are left in the dark as to what cyber criminals are doing with their data. Studies show 87% of individuals are either somewhat or very concerned about their information being shared with another party without their knowledge or consent.

Your customers value their privacy. They want the freedom to choose what they share and with whom it is shared. Online data can be stored indefinitely, and it’s up to businesses to protect that data.

Safeguarding Data
One way to safeguard your customers’ data during checkout is by becoming PCI Compliant. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure all companies that process, store or transmit credit card information maintain a secure environment for their customers. PCI applies to any organization or merchant that accepts credit cards online.

Enabling Trust
Your customers’ trust is not simply a nice thing to have, it’s a critical asset. Brand value diminishes 20% to 30% on average as a direct result of a data breach. On top of that, it takes as long as a year to restore this kind of damage. Use data privacy day as an excuse to further protect your customers by respecting their privacy, safeguarding their data and enabling their trust.


This Week In Exploits Logo

This Week in Exploits: My Hacked WordPress Site Was Fixed, Now What?

The unfortunate happens and your WordPress site is compromised. You recover from the hack through backups or SiteLock’s malware removal service, yet you still feel at unease.

The truth is, once a WordPress site recovers from a compromise, there’s a bit more to do. Learn about simple post-compromise steps that can help harden your site from future attacks.

Learn more at

protect your data keyboard

Avoid a Security Breach with These Easy Tips

With 52% of security breaches being caused by human error, it is important to recognize that one of your employees could inadvertently be the cause of your company’s next data breach. This month, SiteLock is supporting Data Privacy Day on January 28, 2016 in an effort to create awareness around the importance of privacy and protecting personal information.

Educating your employees is key to preventing a breach, so here are some best practices to get the ball rolling:

Read More

Laptop Lock

SiteLock Research Team Identifies Malicious Plugin

During a routine site cleaning, the SiteLock Research Team found suspicious code in a WordPress plugin file.

Get the full details at

Data theft

Here’s How Cyber Criminals Profit From Your Personal Data

Did you know that stores are likely to keep your name, credit card number, address, email address, and even date of birth stored on file for long periods of time? With information like this sitting idle, it often becomes an easy target for cyber criminals. This month, SiteLock is supporting Data Privacy Day on January 28th to create awareness around the importance of privacy and protecting personal information.

Security breaches are on the rise and this trend is not slowing. Over 750 breaches occurred during 2015 with more than 170 million records exposed. The number of breached data records in 2015 nearly doubled the records breached in 2014.

Read More

This Week In Exploits Logo

This Week in Exploits: Don’t Panic: Defacements from 2015

Bad actors have attacked websites since the beginning of the internet. They have many reasons for taking over websites — money, infamy, politics, curiosity — though nothing grabs attention more than the visual defacement of a site. We’ve seen many defacements over the last year, but what are the real consequences for the sites that are defaced? We’ll discuss what defacements do and why they happen, as well as what should you know about site defacements and securing your site against them.

What Are Defacements and the Effects


Read More

Page 1 of 25

Powered by WordPress & Theme by Anders Norén