Vulnerabilities / Threats
7/29/2014
09:15 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Internet Of Things Contains Average Of 25 Vulnerabilities Per Device

New study finds high volume of security flaws in such IoT devices as webcams, home thermostats, remote power outlets, sprinkler controllers, home alarms, and garage door openers.

A new study published this week found that among even among just a small sample of some of the most popular and prevalent Internet of Things (IoT) devices, researchers uncovered 250 vulnerabilities -- many of which were severe and resulted in remote code execution, including vulnerabilities to Heartbleed, denial of service, and cross-site scripting.

Conducted by researchers at HP Fortify, the study was meant to demonstrate what may be found when a more comprehensive and disciplined approach is taken to examining this growing new class of devices.

Daniel Miessler, practice principle for Fortify On Demand at HP Fortify, who led the project, says many of the vulnerability discoveries announced about IoT devices over the last couple of years have been one-off findings.

"We haven't really seen a comprehensive approach when people talk about it -- they might talk about one vulnerability on the device or one relevant Internet vulnerability," he says, explaining that what makes IoT devices different is their multi-faceted nature. "When you think about what all is involved in an Internet of Things device, you've got the device itself, network access, authentication, the Internet component; and all these pieces together are what stack up to be the Internet of Things device. If you're not looking at the big picture, you're missing a lot of stuff."

This is why Miessler earlier this year collaborated with researchers Craig Smith and Jason Haddix to come up with the OWASP Internet of Things Top Ten Project, which delineates the top 10 security problems seen in IoT devices and tips on how to prevent them. For the study, he used that list as a backbone for testing 10 common devices, including a webcam, home thermostat, sprinkler controller, home alarm, and garage door opener.

Among those 10 devices, HP Security Research found an average of 25 vulnerabilities per device. Seven out of 10 of the devices when combined with their cloud and mobile applications gave attackers the ability to identify valid user accounts through enumeration. Nine out of 10 devices collected at least one piece of personal information through the device or related cloud or mobile app; and six of the devices had user interfaces vulnerable to a range of web flaws such as persistent XSS.

"We had one where you were able to log in and get root access to the device, and from there you could actually run and execute commands, pivot over to various locations on the internal  network," Miessler tells us.

He explains that, though many IoT devices are marketed to consumers, these rampant vulnerabilities have quite a bit of relevance for enterprises as well.

"They're not going to be closed to the devices we have here: TVs, webcams, home thermostats. They're not adverse to rolling out prosumer versions of these products, and we're already getting pings from our large corporate customers asking how secure these exact devices are."

And that's not to mention other very corporate devices such as SCADA networks, which exhibit the same multi-faceted attack surfaces as consumer IoT devices, he says. The biggest thing he wants enterprises to realize is they need to broaden their testing horizons lest they miss some very glaring vulnerabilities.

"It's not just cloud, it's not just the device, and it's not just network security," says Miessler. "People shouldn't view it as a one-dimensional problem."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
markoer
50%
50%
markoer,
User Rank: Apprentice
7/30/2014 | 6:06:36 AM
Re: Ok, but....
Thanks a lot, Kelly!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/29/2014 | 2:43:42 PM
Re: Ok, but....
Here you go: http://fortifyprotect.com/HP_IoT_Research_Study.pdf

The link has now been added to the story, too. Thanks!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/29/2014 | 2:41:22 PM
Re: Ok, but....
Here you go: http://fortifyprotect.com/HP_IoT_Research_Study.pdf

The link has now been added to the story, too. Thanks!
markoer
50%
50%
markoer,
User Rank: Apprentice
7/29/2014 | 12:08:28 PM
Ok, but....
...where is the link to the HP study?...
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
7/29/2014 | 10:53:30 AM
Re: 25 vulns/device
I think we have come to accept that all things are vulnerable, so it really boils down to a risk vs benefit/utility analysis. If vulnerabilities can be mitigated without outweighing the benefit or utility, then it becomes an organizational decision. On a personal level, my smartphone is an essential need, but the need to control my home thermostat remotely just doesn't have the same level of utility as my phone, and is the last thing I need to worry about. I guess it all comes down to a matter of priorities.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/29/2014 | 9:44:33 AM
25 vulns/device
That seems pretty high to me, but how does that compare to, for instance, a typical smartphone or tablet? I'd also be curious to know if OWASP has info abut which are most vulnerabe IoT devices on the market.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7266
Published: 2015-02-01
Algorithmic complexity vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x through 3.1.2 allows remote attackers to cause a denial of service (CPU consumption) via vectors that trigger colliding hash-table keys. NOTE: this vulnerability exists because of an incomplete fix for CVE-2...

CVE-2014-7269
Published: 2015-02-01
ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earlier, and RT-N56U routers with firmware 3.0.0.4.376....

CVE-2014-7270
Published: 2015-02-01
Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earl...

CVE-2014-8630
Published: 2015-02-01
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shel...

CVE-2014-9200
Published: 2015-02-01
Stack-based buffer overflow in an unspecified DLL file in a DTM development kit in Schneider Electric Unity Pro, SoMachine, SoMove, SoMove Lite, Modbus Communication Library 2.2.6 and earlier, CANopen Communication Library 1.0.2 and earlier, EtherNet/IP Communication Library 1.0.0 and earlier, EM X8...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.