Lots of vulnerabilities in IoT device Web interfaces: Study

CISOs have lots on their plates but the expansion of the so-called Internet of Things will only add to their headaches.

That’s becoming clear with many reports that the software behind IoT devices often isn’t up to enterprise security standards. The latest is a research paper presented by European security researchers at last week’s DefCamp conference in Romania that found serious problems in Web interfaces of IoT devices.

Using a framework they created to analyze firmware, the researchers found serious vulnerabilities in at least 24 per cent of the Web interfaces they were able to emulate, including 225 high impact vulnerabilities by automatic analysis. Following up with static analysis, 9,271 issues were found in 185 firmware images. Devices tested included routers, DSL/cable modems, VoIP phones and IP/CCTV cameras.

The situation could be worse, they suggest, because the emulation quality of their scanner could be improved.

“These results show that some embedded systems manufacturers need to start considering security in their software life-cycle, e.g., using off-the-shelf security scanners as part of their product quality assurance,” the authors conclude.

Porous Web interfaces are a problem because they can be leveraged by SQL injection, cross-site scripting, cross site request forgery, command injection and HTTP response splitting. If the code creators have security in mind when creating their software that will help cut down the problem, but the researchers note that static analysis of code or dynamic analysis of Web interfaces against known attack patterns will be needed to discover vulnerabilities  and issue patches. So the tool the researchers invented, which emulates firmware, has a practical use.

In fact the implication of their work is that manufacturers of the tested devices could have found the vulnerabilities.

Manufacturers are aware of the potential problem. A number banded together in September to create the Internet of Things Security Foundation to promote best practices, although it will not set standards. Members include big names such as Siemens, Vodaphone, Webroot, BT (British Telecom). The organization’s first plenary meeting will be held Nov. 30 in London to firm up its constitution and structure. It can only be hoped that membership swells.

Still, it is the obligation of CISOs and security teams to question suppliers about the application development  of devices they buy. There are warning signs that can tip buyers off about potentially insecure devices, such as those that only demand four-digit PIN passwords, lack strong access control or have open inbound ports.

Whether IoT devices are a threat to an organization will depend on the device and its use — if it collects personal or financial information or to a network that has access to that data, for example. This research suggests small businesses may be the most at risk

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now