Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
6/19/2019
08:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Insecure Home IoT Devices a Clear and Present Danger to Corporate Security

Avast-sponsored study shows wide prevalence of IoT devices, many with weak credentials and other security vulnerabilities.

Nearly three years after the Mirai distributed denial-of-service (DDoS) attacks, the danger to corporate networks from insecure consumer Internet of Things (IoT) devices appears to have grown.

Researchers from Avast Software, in collaboration with researchers from University of Illinois Urbana-Champaign and Stanford University, recently analyzed data from 83 million Internet-connected devices in some 16 million homes globally to better understand how they are deployed, as well as how secure they are. Devices scanned included home routers, game consoles, printers, scanners, home IP cameras, and home automation devices, such as smart thermostats. Computers and phones were excluded from the IoT classification in the study.

The research highlights not only the prevalence of IoT devices, but also their inherent vulnerabilities, says Rajarshi Gupta, vice president and head of AI at Avast. 

According to the study, one-third of the homes has at least one IoT device. In North America, the number is double, at 66%. The research shows that one in four homes in North America have three or more IoT devices, and 9% have six or more.

Media devices, such as smart TVs and streaming devices, are by far the most common IoT devices in a majority of geographies. However, beyond that, the types of IoT devices installed in home networks tend to vary widely by region.

For example, Internet-connected home surveillance equipment is the most common IoT device across several parts of Asia; work appliances, like printers, are more prevalent in Africa; and voice and home assistant devices, such as those from Amazon and Google, are substantially more common in North America than anywhere else.

Security Concerns
Disturbingly, millions of the devices in the Avast study have security weaknesses, such as open services, weak default credentials, and vulnerabilities to known attacks. Millions of devices, for instance, are still using obsolete protocols, such as FTP and Telnet, Gupta says. In some parts of Africa, the Middle East, and Southeast Asia, as many as 50% of IoT devices still support FTP, and nearly 40% of home routers in Central Asia use Telnet.

Open and weak HTTP credentials are another major concern with a significant proportion of routers that Avast and the other researchers analyzed. A small number of home routers in the study host publicly accessible services. But more than half (51.2%) that did also had a recently exploited vulnerability on them.

"Millions of IoT devices today still use obsolete protocols like Telnet and FTP, both of which are known to transfer data in plain text," Gupta notes. "The security implications of this cannot be overstated, and I'd argue that there is absolutely no reason to be using these protocols in 2019."

The Mirai malware of 2016, for instance, exploited such weaknesses in IoT products to enable attackers to quickly assemble botnets for launching DDoS attacks. There are other concerns, too. Many IoT products that people use at home are found in work environments as well, especially printers, cameras and TVs, Gupta says.

"If a gadget at home is compromised and that employee unknowingly uses their work laptop on the same Wi-Fi, a cyberattacker can infiltrate the computer, too," he says.

The Avast-sponsored study shows that despite a large number of branded IoT products around the world, the number of manufacturers is surprisingly small.

"There's a long tail of more than 14,000 IoT manufacturers globally," he says. "Yet an overwhelming majority of all devices — 94% — are made by the same 100. Half are made by the same 10."

This market dominance means the onus for building strong privacy and security postures for IoT products rests with a handful of companies.

"Device manufacturers — at the very least, the top 100 — need to incorporate stronger security principles into their software development process," Gupta says. Consumers, meanwhile, should consider security controls that can observe traffic at the router-level, identify irregular device behavior, and quarantine malicious network flows or infected devices.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/24/2019 | 3:44:51 PM
Re: Consumers should consider security controls?
Have to agree - consumers in general know nothing about computers much less security much less what a secure password is.  " Oh, you mean I should change it?"   " But it was so easy to remember."   This is an old issue and it ain't going away ever.  Live with it. 

Ending is indeed classic: consumers will understand this? Consumers, meanwhile, should consider security controls that can observe traffic at the router-level, identify irregular device behavior, and quarantine malicious network flows or infected devices.

If I tried that on a residential account ==== blank stare for maybe a week. 
BadWiscoJ
100%
0%
BadWiscoJ,
User Rank: Apprentice
6/19/2019 | 12:14:21 PM
Consumers should consider security controls?
The last comment in your article states that "Consumers, meanwhile, should consider security controls that can observe traffic at the router-level, identify irregular device behavior, and quarantine malicious network flows or infected devices." How exactly do you expect them to do that? Consumer's just aren't knowledgeable enough to do something like this.
nomad52
50%
50%
nomad52,
User Rank: Apprentice
6/19/2019 | 8:24:41 AM
well duh
This was old news among security auditors three years ago.   nearly zero has been done to secure these devices, identify the actual risks, get vendors to path vulnerabilities or a useful mechanism to apply the patches. 

I keep wondereing what it will take to clean up this mess
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...