Credit: Dreamstime
Manufacturers of network equipment may be claiming better security in their Internet of Things (IoT) devices, but those claims have been refuted during new testing of 13 small-office home office (SOHO) routers and networked-storage devices that identified 125 new vulnerabilities.
The work, conducted by security-testing firm Independent Security Evaluators (ISE) and documented in the SOHOpelessly Broken 2.0 report, updated a 2013 evaluation of IoT security that identified 52 new vulnerabilities.
The testers were eager to see how much better vendors’ IoT security had become in the intervening six years, and evaluated fully-updated devices produced for both consumer and enterprise use by manufacturers including Buffalo, Synology, TerraMaster, Zyxel, Drobo, Asustor, Seagate, QNAP, Lenovo, ASUS, Netgear, TOTOLINK, and Xiaomi.
Evaluation of their security revealed a number of common weak spots, with all 13 tested devices having at least one web application vulnerability – including cross-site scripting, OS command injection, or SQL injection – in their out-of-the-box configuration.
Researchers were able to get root access on 12 of the devices and noted that six units can be “remotely exploited without authentication”.
“Despite the increased attention to security claimed by device manufacturers,” the researchers notes, “these IoT devices do not have sufficient security controls to prevent remote exploitation.”
“Our goal was not to identify issues with the default configuration of these devices, it was to identify poorly developed functionality.”
ISE researchers used a four-phase process that included information gathering during passive ‘reconnaissance’; enumeration of default services on each device; leveraging this enumeration to gain access to the device; then developing proof-of-concept exploits that were sometimes chained “to reduce the level of access required to remotely compromise a device.”
The least secure device was the TerraMaster F2-420, which was vulnerable to 7 of eight attack methods attempted during the exercise. The Synology DS218j didn’t fall to any of the attack techniques, but all of the other 11 devices were compromised by two or more methods.
IoT security has become a chronic issue as business and home consumers alike work to close up potential vulnerabilities that leave them exposed to attack.
The recent 2019 SonicWall Cyber Threat Report, for one, identified an ongoing surge in IoT malware attacks, which grew 55 percent during the first half of this year compared with the previous year.
Worldwide spending on IoT security solutions will grow from $US1.5b ($A2.2b) to more than $US3.1b ($A4.4b) in 2021, according to a recent Gartner forecast that highlighted the piecemeal nature of efforts to date.
"Although IoT security is consistently referred to as a primary concern, most IoT security implementations have been planned, deployed and operated at the business-unit level, in cooperation with some IT departments to ensure the IT portions affected by the devices are sufficiently addressed," Gartner research director Ruggero Contu said.
"However, coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider's alliances with partners or the core system that the devices are enhancing or replacing."
Even as enterprise IoT strategy continues to evolve, buyers should take heed of their potential vulnerabilities – and avoid those devices with a history of numerous security vulnerabilities.
Corporate administrators should harden IoT devices by disabling unused features – particularly remote access features – as well as enabling security controls, and implementing a patching strategy to keep the firmware current.
Overall, ISE was unimpressed by the state of the tested devices, noting that their “troubling” and “trivially exploited” security vulnerabilities “would be considered unacceptable in modern web applications in non-IoT environments.”
“It is likely that a significant number of devices are deployed and never updated afterwards,” the report noted. “With these results, we can conclude that common devices... are likely vulnerable to exploits that can result in severe damage.”