Vulnerabilities / Threats

9/29/2015
10:30 AM
Oliver Tavakoli
Oliver Tavakoli
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Unintended Attack Surface Of The Internet Of Things

How a vulnerability in a common consumer WiFi device is challenging today's enterprise security.

Researchers at Vectra Threat Labs recently performed a detailed analysis of vulnerabilities found in a common Belkin wireless repeater. And while a consumer WiFi product may seem like an odd choice for intensive threat research, vulnerabilities in consumer and Internet of Things gear can end up having a much larger impact on enterprise security than you might think.

It’s no surprise that end users are almost always the initial targets of attackers, and vulnerabilities in users’ consumer devices can enable that all-important initial infection. Vulnerabilities in a wireless repeater, like those analyzed by Vectra Threat Labs, provide a natural opportunity to man-in-the-middle a user, and redirect or manipulate user traffic in the process.

Even more important is the fact that consumer technology provides a preview of the types of challenges that enterprises are already beginning to face with the rise of the Internet of Things. Let’s take the Belkin vulnerabilities as a case in point. The vulnerabilities all share a fairly simple coding error in which the code takes input from a user and passes it directly to the operating system.

For example, the system may be expecting user input such as the user’s PIN, but an attacker could input commands to reboot the device, which the system would dutifully execute. It is also important to note that these sorts of vulnerabilities are not rare. The SOHOpelessly Broken contest at DEFCON revealed a variety of vulnerabilities in consumer routers.

In the Belkin case, insecure coding practices are the tip of the iceberg. The bigger issue is the duration of time these vulnerabilities have existed in the wild. The original Belkin firmware was dated June 27, 2012, and the first and only update was dated May 6, of 2015. The vulnerability existed unpatched for just shy of 3 years. In addition, the HP Tipping Point Zero Day Initiative first reported the vulnerabilities to Belkin on November 11, 2014. The coordinated advisory did not occur until July 20 of 2015. This means that there was an 8-month lag between disclosure and the fix.

Unfortunately, this sort of response time is likely to become more common with consumer and IoT devices. For example, a company that sells industrial HVAC equipment decides to add network connectivity to its products to improve manageability of the unit. Since networking is not its core business, the company chooses to outsource the network integration to a third party that may or may not use secure coding practices. Once the project is complete, the code could remain unchanged and effectively unsupported.

Stopping every unknown exploit against a wireless repeater, air conditioner, or any of the thousands of other devices on the market is an impossible task. But as IoT subtly creeps into an organization, the combination of poorly written code and infrequent updates will surely lead to a broader and less manageable attack surface. It’s time for the modern enterprise to take notice. 

Oliver Tavakoli is the chief technology officer at Vectra Networks, Inc. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/11/2015 | 8:13:17 PM
Re: Networking hardware
"No error-free device in this planet."

Of course, most of those errors -- let's face it -- are PEBKAC errors.

(PEBKAC = "Problem Exists Between Keyboard And Chair")
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:24:28 AM
Everything is coding error
Most of the vulnerabilities are either miscoding or misconfiguration of the system. Some bugs may result into vulnerability some others may not. Remember there is no error-free application.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:24:00 AM
Re: Are you embracing the IoT with your eyes closed?
Agree. Some takes it quite seriously because of their past experiences with government agencies and troubles that they had to go though. But most does not even care.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:22:18 AM
Re: Networking hardware
I would agree with that. That is why it is important to have a layered security approaches. No error-free device in this planet.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:20:47 AM
Re: Are you embracing the IoT with your eyes closed?
I wish you are correct. But all these startups have an idea in mind which lacks the security. They do not have time and money to spend on investigation what consequences we would face if my toaster talks to my fridge?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:17:35 AM
IoT security
Nobody pays attention to the security and vulnerabilities that IoT will create to other systems around them. Everybody is focused on geting an IoT device out the market. Home devices and wearables are real next stages of security problems we will be hearing more often than less.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/29/2015 | 9:45:13 PM
Re: Are you embracing the IoT with your eyes closed?
I'm sure there are at least a few organizations taking the not-even crossing-their-fingers-because-they-aren't-even-thinking-about-it approach -- as many often do with all kinds of security threats.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/29/2015 | 9:43:30 PM
Networking hardware
Networking equipment at the consumer (and even, sometimes, at the enterprise) level is notoriously insecure.  Experts have predicted that at least 1/5 of all routers, for instance, have some backdoor or other exploit.

The NSA even took advantage of this fact with some of the organizations it infiltrated.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
9/29/2015 | 9:31:52 PM
Are you embracing the IoT with your eyes closed?
I think the casual Internet of Things and the industrial Internet of Things will look quite different, and there will be protections for those who know how and care to use them. I don't think many IT staffs are going into the Internet of Things with their eyes closed and fingers crossed, but I could be wrong.
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-9036
PUBLISHED: 2018-06-20
CheckSec Canopy 3.x before 3.0.7 has stored XSS via the Login Page Disclaimer, allowing attacks by low-privileged users against higher-privileged users.
CVE-2018-12327
PUBLISHED: 2018-06-20
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq ...
CVE-2018-12558
PUBLISHED: 2018-06-20
The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f").
CVE-2018-6563
PUBLISHED: 2018-06-20
Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti...
CVE-2018-1120
PUBLISHED: 2018-06-20
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call t...