For years, we’ve been hearing about the security vulnerabilities of consumer and small office/home office (SOHO) digital devices. At the same time, security researchers have increased their rate of vulnerability disclosures and bug bounty programs for the Internet of Things (IoT) have proliferated in popularity. And, yet, nothing seems to be getting done when it comes to boosting the security capabilities of commonly used devices such as routers and network attached storage (NAS) devices. That’s the big takeaway lesson from consulting and research firm Independent Security Evaluators (ISE), which has just released a new report (“SOHOpelessly Broken 2.0”), which details the IoT security vulnerabilities found in 13 popular devices.
Key findings of the IoT security report
This new report is a follow-up to the company’s much-discussed 2013 report, “SOHOpelessly Broken.” Despite the gap of nearly six years between reports, nothing much seems to have been done to fix IoT security issues, says ISE. For example, the 2013 report resulted in 52 CVEs (Common Vulnerabilities and Exposures) issued for newly discovered vulnerabilities. By comparison, the 2019 report was even more dramatic. In its study of 13 SOHO router and NAS devices, ISE found vulnerabilities resulting in 125 CVEs.
And, most dishearteningly, all 13 devices under review had at least one web app vulnerability (such as cross site scripting XSS) – many of which were “trivial to exploit.” In many cases, devices were remotely exploited without authentication and were vulnerable to exploits. ISE specifically looked at a wide range of devices from a variety of manufacturers, and it looks like the problem of IoT security flaws is one that is common to all device manufacturers, not just a few bad apples. Even when ISE contacted these 13 companies to disclose and explain these vulnerabilities, only 3 of them worked with ISE to fix the vulnerabilities.
Impact of IoT security weaknesses
As ISE is quick to point out, this was more than just a proof of concept academic exercise with little or no real-world impact. All of these digital devices (both routers and NAS devices) are commonly used within the home and small office environments, and that means hackers and other rogue cyber elements can use these known IoT security weaknesses to achieve their nefarious goals. In short, there are exploits that can result in harm to both consumers and businesses if they do not undertake basic security due diligence for their IoT devices.
ISE specifically outlines a few such cyber attack scenarios that might stem from these IoT security weaknesses. For example, an attacker might be able to exploit and compromise additional network devices. Within a smart home or smart building, for example, a remote exploitation attack that starts with a router might lead to other devices hooked up to the Internet. Moreover, attackers are theoretically able to snoop on any information that passes through these devices, opening up the very real risk of having your personal data or sensitive personal information stolen by hackers or cyber thieves. Or, an attacker could simply use these security exploits to disable your network entirely. Finally, once they’ve established a foothold within your IoT device via a remote access attack, hackers can use that as a basis for launching outbound attacks on other targets outside of your home or office.
Ways to fix IoT security weaknesses
The good news, says ISE, is that there are a number of basic steps that anyone – both consumers and small business owners – can take in order to fix and eliminate IoT security vulnerabilities. First and most importantly, they can disable any features on these devices that they do not use. They can also commit to a proactive security approach, in which they actively track known security vulnerabilities. And they can choose to purchase only those products that are updated frequently with new security patches.
However, it is quite unfair to place the burden of IoT security only on those who use these routers and NAS devices. Far better, suggests ISE, is if device manufacturers begin to take IoT security seriously. With that in mind, ISE lays out some best-in-class industry practices for device manufacturers to follow. For example, they should train developers on best practices for security, and whenever possible, embed security into every aspect of creating, designing and testing products. Device manufacturers should commit to a rigorous schedule of training and security testing, not just bug bounty programs. While bug bounty programs certainly provide value, too many companies ignore the vulnerabilities found as a result of these programs, and do not make it worth the time and money of those people actively look for IoT security flaws. Finally, device manufacturers should be proactive when it comes to firmware upgrades.
Positive steps for IoT security
While the ISE report paints a bleak picture of the IoT security landscape, there are some positive, encouraging signs. For example, ISE notes that, in the interval between its original report and this new 2019 report, the whole process of using vulnerability disclosure forms has become much more streamlined and simplified. Device manufacturers are also providing better contact information for vulnerability assessment, so that security researchers and other security experts can contact them with potential vulnerabilities. And, the whole concept of bug bounty programs has gone mainstream, opening up the prospect that “the crowd” can help to find dangerous new exploits that device manufacturers cannot.
Getting buy-in from IoT device manufacturers
At the end of the day, a lot depends on getting “buy-in” from IoT device manufacturers. ISE points out that many of the vulnerabilities found, exploited and disclosed more than six years ago have never been appropriately addressed. And, in many cases, a basic culture of security due diligence has not taken hold at IoT device manufacturers. This would seem to suggest that device manufacturers are never going to make the required security changes to their devices unless they are forced to by consumers or regulators.
By voting with their wallets, consumers can help to reward those IoT device manufacturers that take security seriously. And, government regulators can play a role, too, by creating the right incentives for companies to embed security into every aspect of designing and creating a new device. That would mean that, if a router or NAS device is showing up on retail shelves at stores, it has at least passed a minimum threshold for IoT security.