Door opener IoT: 90 percent of firmware files contain critical security vulnerabilities

The Internet of Things is a door opener – in two ways. On the one hand, IoT companies open up new lucrative business areas and enable a fully networked business world. On the other hand, IoT devices are also ideal hacker gateways, increasing the cyber-attack area of ​​businesses immensely.

The fact is, the security of IoT devices is still severely neglected and their firmware is usually swarming with vulnerabilities, much to the delight of cyber attackers. As recent research by the IoT Inspector firmware analysis platform has shown, more than 90 percent of the firmware files had critical vulnerabilities. These include hard-coded passwords in the firmware file system, system configuration vulnerabilities, or SSH host keys. However, the most frequently identified vulnerability – and thus n°1 vulnerability  – are hidden standard user credentials, according to the report.

 

20 backdoors in network camera: a stroke of luck for hackers

Let’s have a brief look into the network camera of an American provider of surveillance systems. Here, the static and dynamic firmware analysis of the IoT Inspector was able to identify a total of 26 different user accounts, even though the corresponding manual only listed three corresponding accounts. This network camera – actually used for security purposes – bore no less than 20 backdoors, including a Trojan horse.

 

The recent headlines about the presumed hack by Russian hacker group APT28 show that vulnerabilities such as these are also exploited by cybercriminals. The criminals, to whom the burglaries in the Bundestag, the Foreign Office as well as manipulation of the last US elections are attributed, attacked corporate networks via a VoIP phone, an office printer and a video player in order to access the root and expand from there., Unmodified default passwords set by the manufacturer and neglected critical security updates played into their hands.

 

Lack of risk awareness

If classic end-devices such as PCs, servers or notebooks are nowadays adequately monitored and, thanks to innovative AI-based endpoint protection, more and more effectively secured, the danger posed by IoT devices is still greatly underestimated and the corresponding security checks are prioritized with fatal consequences. However, printers, webcams, routers, Wi-Fi access points, and climate controls are at least as vulnerable as the classic computer, offering attackers the same ability to infiltrate networks or capture sensitive data. Consider the latest headlines about ransomware attacks on Canon SLR cameras.

 

Safety tests show where action is needed

As long as market leaders such as Cisco or Microsoft fail to deliver firmware free from vulnerabilities, companies and service providers are urged to actively seek out vulnerabilities in devices themselves. In order not to experience any nasty surprises later on, the firmware of new IoT devices ideally must be checked for vulnerabilities such as hard-coded hashes even before they are used. Only this way can protective and defense measures, such as firewall configurations, be adjusted in time.

Author: Rainer Richter, Director Channel, SEC Technologies