sb-nz logo
Story image

IoT devices lacking basic security assessments

19 Sep 2019

In a new, follow-up cybersecurity study of network attached storage (NAS) systems and routers since 2013, consulting and research firm Independent Security Evaluators (ISE) found 125 vulnerabilities in 13 IoT devices, reaffirming an industrywide problem of a lack of basic security diligence.

The vulnerabilities discovered in the SOHOpelessly Broken 2.0 research likely affect millions of IoT devices.

“Our results show that businesses and homes are still vulnerable to exploits that can result in significant damage,” says ISE lead researcher Rick Ramgattie.

“These issues are completely unacceptable in any current web application. Today, security professionals and developers have the tools to detect and fix most of these types of issues which we found, exploited, and disclosed six years ago. Our research shows that they are still regularly found in IoT devices.”

An attacker can obtain a foothold within a network in businesses and homes to exploit and compromise additional network devices, snoop information that passes through the devices, reroute traffic, disable the network, and perform additional outbound attacks on other targets from the victims’ networks.

In the 2013 study, SOHOpelessly Broken 1.0, ISE uncovered and disclosed 52 vulnerabilities across 13 devices.

In this follow-up study, evaluating a group of both routers and NAS systems, ISE discovered more than twice the previous count, resulting in 125 CVEs (Common Vulnerabilities and Exposures, which are unique identifiers assigned to vulnerabilities in software products).

ISE selected devices from a range of manufacturers.

Products ranged from devices designed for homes and small offices to high-end devices designed for enterprise use.

In addition to new devices, ISE included some devices from earlier research to determine whether manufacturers have improved their security approach or practices over the years.

Key Findings

In nearly all the devices (12 of the 13), ISE achieved its goal of obtaining remote root-level access.

The table below shows the types of vulnerabilities that ISE identified in the targets.

All 13 of the devices evaluated by ISE had at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device’s shell or gain access to the device’s administrative panel.

ISE obtained root shells on 12 of the devices, allowing complete control over the device.

Six of them can be remotely exploited without authentication: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.

Link image
What's new in Genetec Security Center 5.9
The platform supports physical security that empowers organisations with greater situational awareness.More
Link image
Software engineer backs metrics mindset in DevOps
Christian Oestreich, a senior software engineering leader with experience at multiple Fortune 500 companies, shares how a metrics-driven mindset can dramatically improve software quality and enable DevOps at enterprise scale.More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Story image
Trend Micro tackles identity theft with new security suite
"The consequences of this malicious activity can have a significant impact on the lives of the victims for years to come."More
Story image
Report: 151% increase in DDoS attacks compared to 2019
It comes as the security risk profile for organisations around the world increased in large part thanks to the COVID-19 pandemic, forcing greater reliance on cloud technology and thrusting digital laggards into quick and unsecured migrations.More
Story image
Proofpoint and CyberArk extend partnership to further safeguard high-risk users
“Our CyberArk partnership extension provides security teams with increased detection and enhanced adaptive controls to help prevent today’s most severe threats."More