P R E S S R E L E A S E7,339 Vulnerabilities Underneath the Christmas Tree
Not only no-brand goods affected by vulnerabilities / Even products from well-known manufacturers show blatant security gaps
This year again, every German will spend an average of 280 euros on Christmas presents. Technical gadgets such as interactive toys, smart household appliances or networked consumer electronics will often be found underneath the Christmas tree. IoT Inspector has therefore examined popular items from well-known manufacturers (including those from the USA and Germany) and came to frightening results: Each of these products has hundreds of vulnerabilities that, in the worst case, allow attackers access to the devices. The attackers are then able to access private networks, steal data, manipulate devices or integrate hijacked devices into their botnets.
IoT Inspector’s security experts examined a fictitious gift basket containing six products from renowned manufacturers. They found a total of over 7,000 vulnerabilities. In most cases, outdated software with known vulnerabilities was used, sometimes even in the latest firmware version. However, the investigation also identified previously unknown vulnerabilities, which were immediately reported to the manufacturers. In addition, the specialists discovered inadequate maintenance accesses that allow attackers to remotely control the device. In the worst-case scenario, this could allow the devices to spy on their owners or be used as a weapon for attacks on other targets.
“Unfortunately, we discovered that often not even basic security principles are met: For example, manufacturers sometimes use unencrypted transport routes for their firmware updates. Cyber criminals could easily redirect data traffic and inject malware into the devices”, explains Rainer M. Richter, Managing Director of IoT Inspector GmbH. “With some devices, the Wi-Fi password of the user is also stored in plain text. In conjunction with other vulnerabilities, the password can easily be read out and attackers could gain unauthorized network access. These are typical reasons why the vulnerabilities of IoT devices have become one of the main entry points for attackers.”
The following devices were examined:
“It was important for us to examine not only cheap ‘no name’ products, but also to show that the dangers lurk even in products from renowned companies,” says Richter. “The entire industry must finally rethink and implement the security of IoT devices from the very beginning.”
In principle, caution should be exercised with IoT devices and a separate network segment should be set up for these. In addition, buyers should follow these tips: