SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Do not wait: Look at your IoT devices now
Fri, 3rd Apr 2020
FYI, this story is more than a year old

The outbreak of COVID-19 is serving as a reminder of how much modern society relies on high levels of connectivity, as more work places shut down and people transition to working remotely.

As millions of people become confined to their homes, the security of Internet of Things devices has never been so important, according to consulting firm Protiviti, who is warning people to not wait and to check their security.

A recent flash report from Protiviti reveals that devices remain vulnerable, despite how commonplace they are.

The report highlights a set of Bluetooth-related vulnerabilities that could lead to cyberattacks on thousands of IoT devices like deadlocks, crashes, buffer overflows and bypasses, which was recently discovered by researchers from the Singapore University of Technology and Design.

A total set of 12 vulnerabilities have been reported to affect seven major system-on-a-chip (SoC) vendors whose chips are contained in more than 480 different IoT devices.

According to the report, potentially impacted devices include, but are not limited to:

  • Medical devices
  • Building automation
  • Security systems
  • Automotive devices
  • Connected lighting devices
  • Smart home products
  • Consumer electronics

Proof-of-concept exploit codes have also been published, which demonstrate the vulnerabilities and their different impacts on the Bluetooth Low Energy (BLE) implementation within SoC chipsets, as well as how they can be exploited, Protiviti says.

"With this code now being made freely available to the public, the probability that cybercriminals will attempt to abuse these vulnerabilities in the near future is highly likely," the company explains.

"It is important for organisations to take action immediately to determine if they already have affected devices deployed and if so, take steps to patch them or mitigate the risk of exploitation."

Protiviti says companies that use or manufacture Bluetooth-enabled IoT devices should take immediate steps which include: 

  1. Review IoT device inventory and determine if any of the devices use the affected chips.
  2. Contact the device vendors to determine if devices are affected by the vulnerabilities.
  3. For devices that have BLE capabilities, rank/prioritise devices in terms of need and potential impact to the business and determine if their BLE functionality can be disabled.
  4. If BLE cannot be disabled, ask the device vendor if a patch has been released or will be released, as well as the anticipated timeframe and how to apply the patch.
  5. For affected systems that cannot be patched, develop compensating controls such as restricting physical access to the devices to prevent an attacker from getting within BLE range.
  6. Monitor these devices for anomalous activity and educate users to be aware of the associated risks and attack methods.
  7. If you would like more information on the above flash report or more insight from Protiviti executives on what businesses can do to protect their businesses in this highly online environment, please let us know.