sb-as logo
Story image

IoT devices lacking basic security assessments

19 Sep 2019

In a new, follow-up cybersecurity study of network attached storage (NAS) systems and routers since 2013, consulting and research firm Independent Security Evaluators (ISE) found 125 vulnerabilities in 13 IoT devices, reaffirming an industrywide problem of a lack of basic security diligence.

The vulnerabilities discovered in the SOHOpelessly Broken 2.0 research likely affect millions of IoT devices.

“Our results show that businesses and homes are still vulnerable to exploits that can result in significant damage,” says ISE lead researcher Rick Ramgattie.

“These issues are completely unacceptable in any current web application. Today, security professionals and developers have the tools to detect and fix most of these types of issues which we found, exploited, and disclosed six years ago. Our research shows that they are still regularly found in IoT devices.”

An attacker can obtain a foothold within a network in businesses and homes to exploit and compromise additional network devices, snoop information that passes through the devices, reroute traffic, disable the network, and perform additional outbound attacks on other targets from the victims’ networks.

In the 2013 study, SOHOpelessly Broken 1.0, ISE uncovered and disclosed 52 vulnerabilities across 13 devices.

In this follow-up study, evaluating a group of both routers and NAS systems, ISE discovered more than twice the previous count, resulting in 125 CVEs (Common Vulnerabilities and Exposures, which are unique identifiers assigned to vulnerabilities in software products).

ISE selected devices from a range of manufacturers.

Products ranged from devices designed for homes and small offices to high-end devices designed for enterprise use.

In addition to new devices, ISE included some devices from earlier research to determine whether manufacturers have improved their security approach or practices over the years.

Key Findings

In nearly all the devices (12 of the 13), ISE achieved its goal of obtaining remote root-level access.

The table below shows the types of vulnerabilities that ISE identified in the targets.

All 13 of the devices evaluated by ISE had at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device’s shell or gain access to the device’s administrative panel.

ISE obtained root shells on 12 of the devices, allowing complete control over the device.

Six of them can be remotely exploited without authentication: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.

Link image
Making SASE a reality with dynamic edge protection
Gartner’s Secure Access Service Edge (SASE) model for cloud-delivered security is a new paradigm – Forcepoint’s Dynamic Edge Protection is one of the first to take this paradigm and make it a reality. Find out more.More
Story image
80% of security breaches involve exposure of customer data - IBM
The new report from IBM indicates that 80% of surveyed organisations reported having exposed customers’ personally identifiable information (PII) as a result of a breach.More
Story image
Chillisoft nabs LogRhythm Distie of the Year for A/NZ
The specialist cybersecurity distributor has made great strides in LogRhythm sales and support since signing with them a year and a half ago.More
Story image
Forescout and ServiceNow advance tech partnership to protect critical infrastructure
Forescout and ServiceNow have announced they are advancing their partnership for enhanced operational technology (OT) and industrial IoT capabilities, with an aim of helping organisations to protect critical infrastructure from cyber threats.More
Story image
AWS launches fully-managed fraud detection service
Businesses lose billions of dollars to online fraud every year, however businesses respond by investing in cumbersome fraud management solutions that often rely on hand-coded rules and are difficult to keep up to date.More
Story image
Cloud breaches set to increase in velocity and scale - Accurics
“While the adoption of cloud native infrastructure such as containers, serverless, and servicemesh is fuelling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organisations."More