Researchers: Internet of Things large security threat

Posted 17 November 2015 17:44 CEST by Jan Willem Aldershoff

The Internet of Things (IoT), where more and more devices connect to the internet is a large security threat, according to researchers of the French EURECOM and the German Ruhr University. Almost 25% of the devices for consumers isn’t properly secured. Either there are issues in the firmware or the web portal that provides access to the device isn’t properly protected against threats.

Internet_of_Things

(Credits Wilgengebroed Creative Commons 2.0)

The researchers investigated firmware of routers, modems, VOIP phones, network camera’s and other IoT devices that can be managed over the internet. By trying to modify the firmware with malicious software updates and by attacking the web portals of devices they found many vulnerabilities.  They created an automated test framework that allowed them to conduct a large number of tests.

In total 1925 firmware images were investigated of 54 different manufacturers. In these the researchers found 9,200 vulnerabilities in 185 firmware images. Although only 8% of the firmwares contained PHP code in the web portal they found 5,000 XSS (cross-site scripting) leaks in 143 firmware images.

The report confirms earlier reports of the insecurity of IoT devices. Some antivirus vendors already work on software that should protect the home network against IoT vulnerabilities.



Xercus
Moderator
Posted on: 17 Nov 15 17:27
Nothing new here, only confirming what should already be known to most. The source 1511.03609v1.pdf was an interesting read though as it gave backround information. Thanks for linking to it

For more information, I would recommend an interesting book I did read on the subject:
Nitesh Dhanjani - Abusing the Internet of Things, Blackouts, Freakouts, and Stakeouts, August 2015.
"Major security breaches are near-daily events in the news. The frequency and scale of these breaches has made us somewhat numb. As modern societies, we have come to accept that the benefit we receive from adopting innovative technologies exceeds their cost and risk (at least in the short term)." - Taken from the foreword.

Quite interesting 300 page read for anyone interested in the internet of things and the security.
0 Agree

TSJnachos117
MyCE Resident
Posted on: 24 Nov 15 22:33
This is why these firmwares should open to modification by anyone. This way, if the company that wrote the firmware doesn't feel the need to update it (as is usually the case), anyone with the tools, time, skills, and desire can fix these vulnerabilities, making our lives more secure.

The best way to achieve this is to release these firmwares as free software, using licenses like the GNU GPL.
0 Agree

Xercus
Moderator
Posted on: 25 Nov 15 10:51
Quote:
Originally Posted by TSJnachos117
This is why these firmwares should open to modification by anyone. This way, if the company that wrote the firmware doesn't feel the need to update it (as is usually the case), anyone with the tools, time, skills, and desire can fix these vulnerabilities, making our lives more secure.

The best way to achieve this is to release these firmwares as free software, using licenses like the GNU GPL.
* Xercus read your answer, turned and looked into his crystal ball, and saw a beautiful future *

Sadly, proprietary code linked to the product is still where it's at.
0 Agree

Ibex
CDFreaks Resident
Posted on: 22 Nov 16 21:19
It's the biggest hacking playground every created.

Can't believe that figure of 25% though. 0.25% being properly secured seems nearer the mark. And the situation isn't much better with critical infrastructure. Would you trust you life to a set of IoT traffic lights communicating over WIFI secured with WEP! They're out there...

Shouldn't be too long before hackers retake top spot in the US National Intelligence Director's threat list.

https://www.youtube.com/watch?v=m1lhGqNCZlA
0 Agree

Xercus
Moderator
Posted on: 25 Nov 16 18:13
LOL, now I call it IDIoT {(I)ncredibly (D)angerous (I)nternet (o)f (T)hings} and I mean it from the bottom of my heart... these devices are all feature and no security from the start.

I hear them say that they will have to find me first, but they are simply light years behind. Scanning the entire IPv4 space is only an afternoon away and you feel lucky? GET REAL!

A little snappy in style, but it is true
0 Agree

Reactions closed

Sorry, you can't comment on this item anymore. It's either too old or comments are disabled for this post.

Myce.com settings

Several settings at Myce.com can be changed, they are stored in cookies, which means they will be reset if you clear Myce.com cookies

Background

Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here

Layout

Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page

×