The Current State of IoT Security Sucks: Blame the Manufacturers

by | Mar 29, 2019

The Current State of IoT Security Sucks: Blame the Manufacturers

A recent 2019 Cyber Threat Report by SonicWall illustrates the alarming volume of IoT attacks that occur year-over-year. In my opinion, you can blame the manufacturers – and here’s why.

Source: SonicWall

Source: SonicWall

Research has shown that one reason for the proliferation of these attacks is sloppy network security. In one of the earliest IoT botnet attacks ever recorded, attackers leveraged remotely accessible telnet servers that were running on IoT devices. Is this your fault or the manufacturer’s fault?

In this day and age, there is no reason I can think of that an IoT device needs to ship with a running telnet server that’s open to the Internet. If users need remote access, they should have to enable it themselves and use a secure protocol like SSH.

But even SSH can have its own issues.

Case in point: the Mirai botnet. Mirai targeted SSH and telnet protocols, exploiting both the default and hardcoded credentials. You don’t need to be a sophisticated attacked to leverage a device’s default and hardcoded credentials. Unfortunately, we see these hardcoded credentials far too often when we examine the firmware of IoT devices. Even new IoT devices on the market that are made by some well-known brands ship with default and hardcoded credentials. Again – Is this your fault or the manufacturer’s fault?

Another disturbing trend we see quite often with brand new IoT devices: they ship with already well-known, public vulnerabilities. And some of these vulnerabilities, in one example, date back to 2006! One last time – Is this your fault or the manufacturer’s fault?

It is believed that the VPNFilter attack leveraged some of these well-known, public vulnerabilities based on a report by Talos:

At the time of this publication… all of the affected makes/models that we have uncovered had well-known, public vulnerabilities. Since advanced threat actors tend to only use the minimum resources necessary to accomplish their goals, we assess with high confidence that VPNFilter required no zero-day exploitation techniques.”

How about if manufacturers actually upgraded their open-source packages to the latest versions available? Isn’t it assumed the latest versions address the well-known vulnerabilities that could help prevent attacks like VPNFilter?

Instead of me blaming the manufacturers, perhaps the end-user should take a more active role in the security of their IoT devices. How? Let’s start by changing the default password and updating the firmware while they are initially setting up the device. This will help reduce the number of IoT attack vectors.

Though I encourage IoT end-users to take a more active role in their own security, it is just not feasible until the manufacturers make it easy to apply these security changes. Look at the iPhone, for example. Even my 70-year old parents know how to apply the latest security and iOS updates! It’s stupid simple.

I believe manufacturers are to blame for the proliferation of IoT attacks by making these IoT devices easy to exploit. The sad thing is, these attacks are easily avoidable without any additional cost to the manufacturer.

Manufacturers need to step-up and take responsibility for these security issues (close telnet ports, remove hardcoded credentials, update vulnerable open-source components) before the government steps in with their version of IoT security and slaps manufacturers with regulations and laws. That’s when it will get costly.

Recent Posts
Do We Need to Watch the Eyes Watching Us?

Do We Need to Watch the Eyes Watching Us?

On May 21, 2019 the New York Times reported that the Trump Administration is considering a limit on Hikvision’s ability to buy American technology. Hikvision is one of the world’s largest surveillance camera manufacturers and is 42% owned by the Chinese...

Deep Dive into Centrifuge Code Analysis

Deep Dive into Centrifuge Code Analysis

The Centrifuge Platform is capable of analyzing binary firmware for previously unknown vulnerabilities and providing detailed reports of great use to developers and vulnerability researchers alike. This document details the interpretation of these code analysis...

Risk Management: Do You Need Cybersecurity Insurance?

Risk Management: Do You Need Cybersecurity Insurance?

Risk Management: Do You Need Cybersecurity Insurance? ReFirm Labs co-founder, Terry Dunlap, shares his thoughts with American Express on cybersecurity insurance, who needs it, and why. “The attacker's going to go after the low-hanging fruit, and unfortunately that's...