For many smart device owners, the only line of defense against run-of-the-mill hacking operations remains keeping the gadgets updated with the latest firmware from the vendor. Patches are not always available when the vulnerability is publicly disclosed and, users often do not even know if there is an update to apply to their devices, creating a window of opportunity for hackers.
This syncope in the security state of IoT devices may be on track to extinction, as attackers advance methods of finding and exploiting vulnerable systems with tools that automate the most of the undertaking. Limiting the damage is possible if manufacturers adapt to the changing threat landscape, act on responsible disclosure reports and push a solution directly to devices ahead of public vulnerability notifications.
Case in point: a recently released security tool can automate the steps for finding and exploiting targets online. AutoSploit is a script that binds together the Shodan search engine for internet-connected hardware, and Metasploit, a penetration testing framework that incorporates exploit code for vulnerabilities that have been released publicly. Once started, AutoSploit should dictate the course of action, finding particular devices and tossing appropriate exploits at them.
Although it has the potential for responsible use, the tool demands little competence from attackers in its current form, allowing them to gain control over a large number of devices and turning the creation of an IoT botnet into a point-and-click game. For this reason, the release of AutoSploit created ripples of controversy in the security industry; similar reactions surfaced when Shodan and Metasploit launched, but they are now are essential components in legal security work.
Much of the criticism is spurred by the current dearth of vendors who offer automatic updates for their products to make sure that online devices benefit from the latest firmware version. From a security standpoint, the feature is like a self-immunization ability for smart gadgets, shielding them from attacks targeting known vulnerabilities: when a security bug is reported and fixed, clients receive the patch and install it either silently or with minimal intervention from the user.
Hackers automate as much of their work as possible and already concoct scripts and utilities for this purpose. AutoSploit is just an easy-grab alternative. Spending a little extra for a product that can update itself is an investment in protecting your privacy and potentially your money; at the same time, companies that do not deliver such a feature are forced to follow the “trend” or sink.
AutoSploit may turn the tables on the current update delivery paradigm and push IoT makers in the right direction if one consequence of its release is the compromise of a barrage of insecure smart devices. Even if the armies of enslaved equipment are not used for mischief, the outcome itself should be sufficient for stronger intervention from both the public and private sector to enforce security standards and educate consumers.
In the meantime, you can opt for an automated alternative to determine which of your devices are vulnerable and need patching; Bitdefender BOX takes care of this problem and stops attacks before they do any damage.
Image credit: distel2610
tags
September 06, 2024
September 02, 2024
August 13, 2024