Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
6/19/2019
08:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Insecure Home IoT Devices a Clear and Present Danger to Corporate Security

Avast-sponsored study shows wide prevalence of IoT devices, many with weak credentials and other security vulnerabilities.

Nearly three years after the Mirai distributed denial-of-service (DDoS) attacks, the danger to corporate networks from insecure consumer Internet of Things (IoT) devices appears to have grown.

Researchers from Avast Software, in collaboration with researchers from University of Illinois Urbana-Champaign and Stanford University, recently analyzed data from 83 million Internet-connected devices in some 16 million homes globally to better understand how they are deployed, as well as how secure they are. Devices scanned included home routers, game consoles, printers, scanners, home IP cameras, and home automation devices, such as smart thermostats. Computers and phones were excluded from the IoT classification in the study.

The research highlights not only the prevalence of IoT devices, but also their inherent vulnerabilities, says Rajarshi Gupta, vice president and head of AI at Avast. 

According to the study, one-third of the homes has at least one IoT device. In North America, the number is double, at 66%. The research shows that one in four homes in North America have three or more IoT devices, and 9% have six or more.

Media devices, such as smart TVs and streaming devices, are by far the most common IoT devices in a majority of geographies. However, beyond that, the types of IoT devices installed in home networks tend to vary widely by region.

For example, Internet-connected home surveillance equipment is the most common IoT device across several parts of Asia; work appliances, like printers, are more prevalent in Africa; and voice and home assistant devices, such as those from Amazon and Google, are substantially more common in North America than anywhere else.

Security Concerns
Disturbingly, millions of the devices in the Avast study have security weaknesses, such as open services, weak default credentials, and vulnerabilities to known attacks. Millions of devices, for instance, are still using obsolete protocols, such as FTP and Telnet, Gupta says. In some parts of Africa, the Middle East, and Southeast Asia, as many as 50% of IoT devices still support FTP, and nearly 40% of home routers in Central Asia use Telnet.

Open and weak HTTP credentials are another major concern with a significant proportion of routers that Avast and the other researchers analyzed. A small number of home routers in the study host publicly accessible services. But more than half (51.2%) that did also had a recently exploited vulnerability on them.

"Millions of IoT devices today still use obsolete protocols like Telnet and FTP, both of which are known to transfer data in plain text," Gupta notes. "The security implications of this cannot be overstated, and I'd argue that there is absolutely no reason to be using these protocols in 2019."

The Mirai malware of 2016, for instance, exploited such weaknesses in IoT products to enable attackers to quickly assemble botnets for launching DDoS attacks. There are other concerns, too. Many IoT products that people use at home are found in work environments as well, especially printers, cameras and TVs, Gupta says.

"If a gadget at home is compromised and that employee unknowingly uses their work laptop on the same Wi-Fi, a cyberattacker can infiltrate the computer, too," he says.

The Avast-sponsored study shows that despite a large number of branded IoT products around the world, the number of manufacturers is surprisingly small.

"There's a long tail of more than 14,000 IoT manufacturers globally," he says. "Yet an overwhelming majority of all devices — 94% — are made by the same 100. Half are made by the same 10."

This market dominance means the onus for building strong privacy and security postures for IoT products rests with a handful of companies.

"Device manufacturers — at the very least, the top 100 — need to incorporate stronger security principles into their software development process," Gupta says. Consumers, meanwhile, should consider security controls that can observe traffic at the router-level, identify irregular device behavior, and quarantine malicious network flows or infected devices.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
nomad52
50%
50%
nomad52,
User Rank: Apprentice
6/19/2019 | 8:24:41 AM
well duh
This was old news among security auditors three years ago.   nearly zero has been done to secure these devices, identify the actual risks, get vendors to path vulnerabilities or a useful mechanism to apply the patches. 

I keep wondereing what it will take to clean up this mess
BadWiscoJ
100%
0%
BadWiscoJ,
User Rank: Apprentice
6/19/2019 | 12:14:21 PM
Consumers should consider security controls?
The last comment in your article states that "Consumers, meanwhile, should consider security controls that can observe traffic at the router-level, identify irregular device behavior, and quarantine malicious network flows or infected devices." How exactly do you expect them to do that? Consumer's just aren't knowledgeable enough to do something like this.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/24/2019 | 3:44:51 PM
Re: Consumers should consider security controls?
Have to agree - consumers in general know nothing about computers much less security much less what a secure password is.  " Oh, you mean I should change it?"   " But it was so easy to remember."   This is an old issue and it ain't going away ever.  Live with it. 

Ending is indeed classic: consumers will understand this? Consumers, meanwhile, should consider security controls that can observe traffic at the router-level, identify irregular device behavior, and quarantine malicious network flows or infected devices.

If I tried that on a residential account ==== blank stare for maybe a week. 
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.