Most people don’t see past the functionality of connected devices and are rarely aware of the risk they pose to the home network. Many might think the most terrible result of compromising smart products is to become part of a botnet, and it wouldn’t affect them noticeably.
This assumption can be very wrong. ISPs can disconnect service due to malicious activity; even more, IoT products often use the owner’s personal information (email, names, card data, passwords), and, in plenty of cases, safeguarding it is just an illusion.
Data from Bitdefender sensors and IoT security product Bitdefender BOX shows a regular home has more than 10 connected devices. Phones, tablets, game consoles, routers, access points, printers, IP cameras or thermostats are the norm in a home’s connected ecosystem and could become entry points to the home network perimeter. Add true IoTs (light bulbs, appliances) and the attack surface increases; think 100 billion of them across the world and the picture becomes fuller.
IoTs are basically small computers that usually come with limited processing power. Bitdefender Chief Security Researcher Alexandru Balan says security goes beyond encrypting communications and into the realm of application code; and most running services are vulnerable because they have not been updated.
One way to know if a product follows good security practices is to check for the automatic firmware updates feature, says Balan. This mechanism would permit the manufacturer to deploy revised code on all devices, without user intervention. Only companies with strong security awareness embrace this practice at the moment. A larger number of devices either do not benefit from updates at all or make it difficult for the user to apply them. These ones, generally exposed to the Internet, are easy to compromise and prone to leaking sensitive user details.
Among insecure practices Balan sees in IoT devices are vendor backdoor accounts, open Telnet, weak or no encryption, or data obfuscation when communicating with the server. The most frequent vulnerability is command injection, says the researcher. This flaw allows execution of arbitrary commands on the host by inserting them in various supplied data (e.g. forms, HTTP headers) because of insufficient input validation.
Cross-site scripting (XSS) in routers is also common, Balan says. Exploiting it allows attackers to take over the router session of an authenticated user by simply sending a URL to the victim. This could result in instructing the router to take a specific action (e.g. change DNS to point to a malicious website).
Given enough information, an attacker could scan the web for vulnerable devices and execute an automated attack to compromise them. This practice has not spread yet, but it could in the future.
One way to reduce vulnerabilities in IoT devices is for all manufacturers to follow common security practices. Companies like Google, Amazon and IBM are making efforts, but have not gained enough traction to create a large community of manufacturers.
tags
November 14, 2024
September 06, 2024