Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/29/2015
10:30 AM
Oliver Tavakoli
Oliver Tavakoli
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Unintended Attack Surface Of The Internet Of Things

How a vulnerability in a common consumer WiFi device is challenging today's enterprise security.

Researchers at Vectra Threat Labs recently performed a detailed analysis of vulnerabilities found in a common Belkin wireless repeater. And while a consumer WiFi product may seem like an odd choice for intensive threat research, vulnerabilities in consumer and Internet of Things gear can end up having a much larger impact on enterprise security than you might think.

It’s no surprise that end users are almost always the initial targets of attackers, and vulnerabilities in users’ consumer devices can enable that all-important initial infection. Vulnerabilities in a wireless repeater, like those analyzed by Vectra Threat Labs, provide a natural opportunity to man-in-the-middle a user, and redirect or manipulate user traffic in the process.

Even more important is the fact that consumer technology provides a preview of the types of challenges that enterprises are already beginning to face with the rise of the Internet of Things. Let’s take the Belkin vulnerabilities as a case in point. The vulnerabilities all share a fairly simple coding error in which the code takes input from a user and passes it directly to the operating system.

For example, the system may be expecting user input such as the user’s PIN, but an attacker could input commands to reboot the device, which the system would dutifully execute. It is also important to note that these sorts of vulnerabilities are not rare. The SOHOpelessly Broken contest at DEFCON revealed a variety of vulnerabilities in consumer routers.

In the Belkin case, insecure coding practices are the tip of the iceberg. The bigger issue is the duration of time these vulnerabilities have existed in the wild. The original Belkin firmware was dated June 27, 2012, and the first and only update was dated May 6, of 2015. The vulnerability existed unpatched for just shy of 3 years. In addition, the HP Tipping Point Zero Day Initiative first reported the vulnerabilities to Belkin on November 11, 2014. The coordinated advisory did not occur until July 20 of 2015. This means that there was an 8-month lag between disclosure and the fix.

Unfortunately, this sort of response time is likely to become more common with consumer and IoT devices. For example, a company that sells industrial HVAC equipment decides to add network connectivity to its products to improve manageability of the unit. Since networking is not its core business, the company chooses to outsource the network integration to a third party that may or may not use secure coding practices. Once the project is complete, the code could remain unchanged and effectively unsupported.

Stopping every unknown exploit against a wireless repeater, air conditioner, or any of the thousands of other devices on the market is an impossible task. But as IoT subtly creeps into an organization, the combination of poorly written code and infrequent updates will surely lead to a broader and less manageable attack surface. It’s time for the modern enterprise to take notice. 

Oliver Tavakoli is the chief technology officer at Vectra Networks, Inc. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
9/29/2015 | 9:31:52 PM
Are you embracing the IoT with your eyes closed?
I think the casual Internet of Things and the industrial Internet of Things will look quite different, and there will be protections for those who know how and care to use them. I don't think many IT staffs are going into the Internet of Things with their eyes closed and fingers crossed, but I could be wrong.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/29/2015 | 9:45:13 PM
Re: Are you embracing the IoT with your eyes closed?
I'm sure there are at least a few organizations taking the not-even crossing-their-fingers-because-they-aren't-even-thinking-about-it approach -- as many often do with all kinds of security threats.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:24:00 AM
Re: Are you embracing the IoT with your eyes closed?
Agree. Some takes it quite seriously because of their past experiences with government agencies and troubles that they had to go though. But most does not even care.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:20:47 AM
Re: Are you embracing the IoT with your eyes closed?
I wish you are correct. But all these startups have an idea in mind which lacks the security. They do not have time and money to spend on investigation what consequences we would face if my toaster talks to my fridge?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/29/2015 | 9:43:30 PM
Networking hardware
Networking equipment at the consumer (and even, sometimes, at the enterprise) level is notoriously insecure.  Experts have predicted that at least 1/5 of all routers, for instance, have some backdoor or other exploit.

The NSA even took advantage of this fact with some of the organizations it infiltrated.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:22:18 AM
Re: Networking hardware
I would agree with that. That is why it is important to have a layered security approaches. No error-free device in this planet.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/11/2015 | 8:13:17 PM
Re: Networking hardware
"No error-free device in this planet."

Of course, most of those errors -- let's face it -- are PEBKAC errors.

(PEBKAC = "Problem Exists Between Keyboard And Chair")
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:17:35 AM
IoT security
Nobody pays attention to the security and vulnerabilities that IoT will create to other systems around them. Everybody is focused on geting an IoT device out the market. Home devices and wearables are real next stages of security problems we will be hearing more often than less.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/30/2015 | 10:24:28 AM
Everything is coding error
Most of the vulnerabilities are either miscoding or misconfiguration of the system. Some bugs may result into vulnerability some others may not. Remember there is no error-free application.
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13611
PUBLISHED: 2019-07-16
An issue was discovered in python-engineio through 3.8.2. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to a server by using a victim's credentials, because the Origin header is not restricted.
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.