P R E S S R E L E A S E7,339 Vulnerabilities Underneath the Christmas Tree
IoT Inspector Identifies Dangerous Flaws in Popular Gifts Like Networked Children’s Toys, Smart Speakers or Hobby Drones!
Not only no-brand goods affected by vulnerabilities / Even products from well-known manufacturers show blatant security gaps
This year again, every German will spend an average of 280 euros on Christmas presents. Technical gadgets such as interactive toys, smart household appliances or networked consumer electronics will often be found underneath the Christmas tree. IoT Inspector has therefore examined popular items from well-known manufacturers (including those from the USA and Germany) and came to frightening results: Each of these products has hundreds of vulnerabilities that, in the worst case, allow attackers access to the devices. The attackers are then able to access private networks, steal data, manipulate devices or integrate hijacked devices into their botnets.
6 random products = 7,000 vulnerabilities
IoT Inspector’s security experts examined a fictitious gift basket containing six products from renowned manufacturers. They found a total of over 7,000 vulnerabilities. In most cases, outdated software with known vulnerabilities was used, sometimes even in the latest firmware version. However, the investigation also identified previously unknown vulnerabilities, which were immediately reported to the manufacturers. In addition, the specialists discovered inadequate maintenance accesses that allow attackers to remotely control the device. In the worst-case scenario, this could allow the devices to spy on their owners or be used as a weapon for attacks on other targets.
“Unfortunately, we discovered that often not even basic security principles are met: For example, manufacturers sometimes use unencrypted transport routes for their firmware updates. Cyber criminals could easily redirect data traffic and inject malware into the devices”, explains Rainer M. Richter, Managing Director of IoT Inspector GmbH. “With some devices, the Wi-Fi password of the user is also stored in plain text. In conjunction with other vulnerabilities, the password can easily be read out and attackers could gain unauthorized network access. These are typical reasons why the vulnerabilities of IoT devices have become one of the main entry points for attackers.”
The vulnerability shopping list
The following devices were examined:
- Smart speaker with voice control from a well-known German manufacturer: 1,634 vulnerabilities
- As “safe” advertised messenger for children of a worldwide leading provider of educational toys: 1,019 vulnerabilities
- Drone of one of the largest providers in this area: 1,250 vulnerabilities
- Smart home camera system of a US industry giant: 1,242 vulnerabilities
- Pet surveillance camera, which is often used as baby cam: 643 vulnerabilities
- Streaming device for children advertised with ” highest data security”: 1,551 vulnerabilities
“It was important for us to examine not only cheap ‘no name’ products, but also to show that the dangers lurk even in products from renowned companies,” says Richter. “The entire industry must finally rethink and implement the security of IoT devices from the very beginning.”
What you can do
In principle, caution should be exercised with IoT devices and a separate network segment should be set up for these. In addition, buyers should follow these tips:
- Check if the manufacturer has a website. Many manufacturers who sell their products on the usual online marketplaces are ominous vendors without a website or contact options.
- Check if the manufacturer provides regular firmware updates (preferably automated).
- Change the password immediately if the device is delivered with a default password.
- Find out how much personal information and data you provide to a device. For which purpose does the device need this data and where is it stored (only locally or also in the cloud)? Many devices work with face, voice or fingerprint recognition or take pictures and videos of your house, family, children. Ask yourself if a device really needs all this information.
- Be aware of the attack surface. For example, the range (and thus the attack surface) of Bluetooth connections is five to ten meters; with a Wi-Fi connection, it’s up to a hundred meters. A device controlled online via an app can potentially be attacked from anywhere in the world.