ISE: IoT Manufacturers Missing Major Device Vulnerabilities

In just 13 Internet of Things (IoT) devices consulting and research firm Independent Security Evaluators (ISE) discovered 125 vulnerabilities, pointing to an industrywide problem with basic security diligence in the sector, ISE said.

The report — “SOHOpelessly Broken 2.0” — is a follow-up to a 2013 study on the vulnerabilities of network attached storage (NAS) systems and routers, and makes a case that millions of IoT devices are likely affected.

“Our results show that businesses and homes are still vulnerable to exploits that can result in significant damage,” said lead ISE researcher Rick Ramgattie. “These issues are completely unacceptable in any current web application. Today, security professionals and developers have the tools to detect and fix most of these types of issues which we found, exploited, and disclosed six years ago. Our research shows that they are still regularly found in IoT devices.”

The 2013 study discovered 52 vulnerabilities across 13 devices, and the discovery of more than double that number for both routers and NAS systems in the new study shows attackers can find a foothold within business and home networks to exploit and compromise additional devices; steal information that passes through the devices; reroute traffic; disable the network; and even perform additional outbound attacks on other targets, using victim networks.

The devices examined covered a range of manufacturers, with products ranging from home and small-office devices to high-end hardware designed for enterprise use. In 12 of the 13 devices, ISE was able to obtain remote, root-level access, with vulnerabilities ranging from command injection to authorization bypass. All 13 devices had at least one web application vulnerability that could be leveraged by an attacker to get remote access.

“We found that many of these issues were trivial to exploit and should have been discovered even in a rudimentary vulnerability assessment,” said ISE founder Stephen Bono. “This indicates that these manufacturers likely undergo no such assessment whatsoever, that the bug bounty programs they employ are ineffective, that vulnerability disclosures sent to them are not addressed, or more likely, all of the above.”

Since the 2013 report, manufacturers have attempted to address vulnerabilities, by simplifying issue reporting through disclosure forms, by providing better contact information, and using bug bounty programs, the report notes. But more work needs to be done, including better training on security best practices with developers, software development with security in mind at the planning stages, better attention to firmware updates, and avoidance of remote access and administration features, when possible.

“There are billions of IoT devices in use today, and an all too significant percentage are being sold without proper security assessments or an effective process to fix subsequent fundamental issues as they arise.,” Bono said. “Manufacturers need to be proactive at fixing issues rather than relying on bug bounty programs, and other post-production initiatives.”