Story image

IoT devices lacking basic security assessments

19 Sep 2019

In a new, follow-up cybersecurity study of network attached storage (NAS) systems and routers since 2013, consulting and research firm Independent Security Evaluators (ISE) found 125 vulnerabilities in 13 IoT devices, reaffirming an industrywide problem of a lack of basic security diligence.

The vulnerabilities discovered in the SOHOpelessly Broken 2.0 research likely affect millions of IoT devices.

“Our results show that businesses and homes are still vulnerable to exploits that can result in significant damage,” says ISE lead researcher Rick Ramgattie.

“These issues are completely unacceptable in any current web application. Today, security professionals and developers have the tools to detect and fix most of these types of issues which we found, exploited, and disclosed six years ago. Our research shows that they are still regularly found in IoT devices.”

An attacker can obtain a foothold within a network in businesses and homes to exploit and compromise additional network devices, snoop information that passes through the devices, reroute traffic, disable the network, and perform additional outbound attacks on other targets from the victims’ networks.

In the 2013 study, SOHOpelessly Broken 1.0, ISE uncovered and disclosed 52 vulnerabilities across 13 devices.

In this follow-up study, evaluating a group of both routers and NAS systems, ISE discovered more than twice the previous count, resulting in 125 CVEs (Common Vulnerabilities and Exposures, which are unique identifiers assigned to vulnerabilities in software products).

ISE selected devices from a range of manufacturers.

Products ranged from devices designed for homes and small offices to high-end devices designed for enterprise use.

In addition to new devices, ISE included some devices from earlier research to determine whether manufacturers have improved their security approach or practices over the years.

Key Findings

In nearly all the devices (12 of the 13), ISE achieved its goal of obtaining remote root-level access.

The table below shows the types of vulnerabilities that ISE identified in the targets.

All 13 of the devices evaluated by ISE had at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device’s shell or gain access to the device’s administrative panel.

ISE obtained root shells on 12 of the devices, allowing complete control over the device.

Six of them can be remotely exploited without authentication: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.