Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
6/19/2019
08:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Insecure Home IoT Devices a Clear and Present Danger to Corporate Security

Avast-sponsored study shows wide prevalence of IoT devices, many with weak credentials and other security vulnerabilities.

Nearly three years after the Mirai distributed denial-of-service (DDoS) attacks, the danger to corporate networks from insecure consumer Internet of Things (IoT) devices appears to have grown.

Researchers from Avast Software, in collaboration with researchers from University of Illinois Urbana-Champaign and Stanford University, recently analyzed data from 83 million Internet-connected devices in some 16 million homes globally to better understand how they are deployed, as well as how secure they are. Devices scanned included home routers, game consoles, printers, scanners, home IP cameras, and home automation devices, such as smart thermostats. Computers and phones were excluded from the IoT classification in the study.

The research highlights not only the prevalence of IoT devices, but also their inherent vulnerabilities, says Rajarshi Gupta, vice president and head of AI at Avast. 

According to the study, one-third of the homes has at least one IoT device. In North America, the number is double, at 66%. The research shows that one in four homes in North America have three or more IoT devices, and 9% have six or more.

Media devices, such as smart TVs and streaming devices, are by far the most common IoT devices in a majority of geographies. However, beyond that, the types of IoT devices installed in home networks tend to vary widely by region.

For example, Internet-connected home surveillance equipment is the most common IoT device across several parts of Asia; work appliances, like printers, are more prevalent in Africa; and voice and home assistant devices, such as those from Amazon and Google, are substantially more common in North America than anywhere else.

Security Concerns
Disturbingly, millions of the devices in the Avast study have security weaknesses, such as open services, weak default credentials, and vulnerabilities to known attacks. Millions of devices, for instance, are still using obsolete protocols, such as FTP and Telnet, Gupta says. In some parts of Africa, the Middle East, and Southeast Asia, as many as 50% of IoT devices still support FTP, and nearly 40% of home routers in Central Asia use Telnet.

Open and weak HTTP credentials are another major concern with a significant proportion of routers that Avast and the other researchers analyzed. A small number of home routers in the study host publicly accessible services. But more than half (51.2%) that did also had a recently exploited vulnerability on them.

"Millions of IoT devices today still use obsolete protocols like Telnet and FTP, both of which are known to transfer data in plain text," Gupta notes. "The security implications of this cannot be overstated, and I'd argue that there is absolutely no reason to be using these protocols in 2019."

The Mirai malware of 2016, for instance, exploited such weaknesses in IoT products to enable attackers to quickly assemble botnets for launching DDoS attacks. There are other concerns, too. Many IoT products that people use at home are found in work environments as well, especially printers, cameras and TVs, Gupta says.

"If a gadget at home is compromised and that employee unknowingly uses their work laptop on the same Wi-Fi, a cyberattacker can infiltrate the computer, too," he says.

The Avast-sponsored study shows that despite a large number of branded IoT products around the world, the number of manufacturers is surprisingly small.

"There's a long tail of more than 14,000 IoT manufacturers globally," he says. "Yet an overwhelming majority of all devices — 94% — are made by the same 100. Half are made by the same 10."

This market dominance means the onus for building strong privacy and security postures for IoT products rests with a handful of companies.

"Device manufacturers — at the very least, the top 100 — need to incorporate stronger security principles into their software development process," Gupta says. Consumers, meanwhile, should consider security controls that can observe traffic at the router-level, identify irregular device behavior, and quarantine malicious network flows or infected devices.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/24/2019 | 3:44:51 PM
Re: Consumers should consider security controls?
Have to agree - consumers in general know nothing about computers much less security much less what a secure password is.  " Oh, you mean I should change it?"   " But it was so easy to remember."   This is an old issue and it ain't going away ever.  Live with it. 

Ending is indeed classic: consumers will understand this? Consumers, meanwhile, should consider security controls that can observe traffic at the router-level, identify irregular device behavior, and quarantine malicious network flows or infected devices.

If I tried that on a residential account ==== blank stare for maybe a week. 
BadWiscoJ
100%
0%
BadWiscoJ,
User Rank: Apprentice
6/19/2019 | 12:14:21 PM
Consumers should consider security controls?
The last comment in your article states that "Consumers, meanwhile, should consider security controls that can observe traffic at the router-level, identify irregular device behavior, and quarantine malicious network flows or infected devices." How exactly do you expect them to do that? Consumer's just aren't knowledgeable enough to do something like this.
nomad52
50%
50%
nomad52,
User Rank: Apprentice
6/19/2019 | 8:24:41 AM
well duh
This was old news among security auditors three years ago.   nearly zero has been done to secure these devices, identify the actual risks, get vendors to path vulnerabilities or a useful mechanism to apply the patches. 

I keep wondereing what it will take to clean up this mess
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...