Vulnerabilities / Threats

9/29/2015
10:30 AM
Oliver Tavakoli
Oliver Tavakoli
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Unintended Attack Surface Of The Internet Of Things

How a vulnerability in a common consumer WiFi device is challenging today's enterprise security.

Researchers at Vectra Threat Labs recently performed a detailed analysis of vulnerabilities found in a common Belkin wireless repeater. And while a consumer WiFi product may seem like an odd choice for intensive threat research, vulnerabilities in consumer and Internet of Things gear can end up having a much larger impact on enterprise security than you might think.

It’s no surprise that end users are almost always the initial targets of attackers, and vulnerabilities in users’ consumer devices can enable that all-important initial infection. Vulnerabilities in a wireless repeater, like those analyzed by Vectra Threat Labs, provide a natural opportunity to man-in-the-middle a user, and redirect or manipulate user traffic in the process.

Even more important is the fact that consumer technology provides a preview of the types of challenges that enterprises are already beginning to face with the rise of the Internet of Things. Let’s take the Belkin vulnerabilities as a case in point. The vulnerabilities all share a fairly simple coding error in which the code takes input from a user and passes it directly to the operating system.

For example, the system may be expecting user input such as the user’s PIN, but an attacker could input commands to reboot the device, which the system would dutifully execute. It is also important to note that these sorts of vulnerabilities are not rare. The SOHOpelessly Broken contest at DEFCON revealed a variety of vulnerabilities in consumer routers.

In the Belkin case, insecure coding practices are the tip of the iceberg. The bigger issue is the duration of time these vulnerabilities have existed in the wild. The original Belkin firmware was dated June 27, 2012, and the first and only update was dated May 6, of 2015. The vulnerability existed unpatched for just shy of 3 years. In addition, the HP Tipping Point Zero Day Initiative first reported the vulnerabilities to Belkin on November 11, 2014. The coordinated advisory did not occur until July 20 of 2015. This means that there was an 8-month lag between disclosure and the fix.

Unfortunately, this sort of response time is likely to become more common with consumer and IoT devices. For example, a company that sells industrial HVAC equipment decides to add network connectivity to its products to improve manageability of the unit. Since networking is not its core business, the company chooses to outsource the network integration to a third party that may or may not use secure coding practices. Once the project is complete, the code could remain unchanged and effectively unsupported.

Stopping every unknown exploit against a wireless repeater, air conditioner, or any of the thousands of other devices on the market is an impossible task. But as IoT subtly creeps into an organization, the combination of poorly written code and infrequent updates will surely lead to a broader and less manageable attack surface. It’s time for the modern enterprise to take notice. 

Oliver Tavakoli is the chief technology officer at Vectra Networks, Inc. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/11/2015 | 8:13:17 PM
Re: Networking hardware
"No error-free device in this planet."

Of course, most of those errors -- let's face it -- are PEBKAC errors.

(PEBKAC = "Problem Exists Between Keyboard And Chair")
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:24:28 AM
Everything is coding error
Most of the vulnerabilities are either miscoding or misconfiguration of the system. Some bugs may result into vulnerability some others may not. Remember there is no error-free application.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:24:00 AM
Re: Are you embracing the IoT with your eyes closed?
Agree. Some takes it quite seriously because of their past experiences with government agencies and troubles that they had to go though. But most does not even care.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:22:18 AM
Re: Networking hardware
I would agree with that. That is why it is important to have a layered security approaches. No error-free device in this planet.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:20:47 AM
Re: Are you embracing the IoT with your eyes closed?
I wish you are correct. But all these startups have an idea in mind which lacks the security. They do not have time and money to spend on investigation what consequences we would face if my toaster talks to my fridge?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:17:35 AM
IoT security
Nobody pays attention to the security and vulnerabilities that IoT will create to other systems around them. Everybody is focused on geting an IoT device out the market. Home devices and wearables are real next stages of security problems we will be hearing more often than less.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/29/2015 | 9:45:13 PM
Re: Are you embracing the IoT with your eyes closed?
I'm sure there are at least a few organizations taking the not-even crossing-their-fingers-because-they-aren't-even-thinking-about-it approach -- as many often do with all kinds of security threats.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/29/2015 | 9:43:30 PM
Networking hardware
Networking equipment at the consumer (and even, sometimes, at the enterprise) level is notoriously insecure.  Experts have predicted that at least 1/5 of all routers, for instance, have some backdoor or other exploit.

The NSA even took advantage of this fact with some of the organizations it infiltrated.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
9/29/2015 | 9:31:52 PM
Are you embracing the IoT with your eyes closed?
I think the casual Internet of Things and the industrial Internet of Things will look quite different, and there will be protections for those who know how and care to use them. I don't think many IT staffs are going into the Internet of Things with their eyes closed and fingers crossed, but I could be wrong.
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20009
PUBLISHED: 2018-12-10
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider.php SSL Provider Name or SSL Provider URL field.
CVE-2018-20010
PUBLISHED: 2018-12-10
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider-account.php username field.
CVE-2018-20011
PUBLISHED: 2018-12-10
DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Name or Stakeholder field.
CVE-2018-20012
PUBLISHED: 2018-12-10
PHPCMF 4.1.3 has XSS via the first input field to the index.php?s=member&c=register&m=index URI.
CVE-2018-20015
PUBLISHED: 2018-12-10
YzmCMS v5.2 has admin/role/add.html CSRF.