Since itsย initialย development in 2015, the firmware analysis platform ONEKEY (formerly known as IoT Inspector) has analyzed tens of thousands of firmware images for vulnerabilities and compliance violations. Not only haveย we been able toย identifyย countlessย misconfigurationsย and securityย issues. Weย have alsoย detectedย many previously unknownย securityย vulnerabilitiesย for the first time.ย
Increasing Connectivity =ย Growingย Securityย Risksย ย
It isย estimatedย that over 25 billion devices are already connected to the Internet, and the number is still rising. But as connectivity increases, so do the security risks. According to a study conductedย by Nokia,ย IoT devices already accounted for one-third of all devices affected by security vulnerabilities in 2020. By comparison, the figure was only 16 percent in 2019.ย ย
But the Internet of Things goes well beyond smart homes and personal gadgets such as hobby drones and fitness trackers. In over two-thirds of all companies, the number of IoT devices now exceeds the number of traditional endpoints such as notebooks, servers, and desktop systems. Almost as many companies (67 percent) said in aย recentย survey that they had already experienced security incidentsย whichย involvedย their IoTย devices.ย ย
Automated Analysis Tools for Efficient Security Checksย
Theseย numbersย areย startling,ย thoughย unsurprising, as theย vastย majorityย ofย IoTย devicesย operateย underย questionableย securityย standards:ย 57% ofย themย areย โvulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers.”ย
SEC Consult recognized the rapidly growing problem of insecure IoT devices early on and set the success story of IoT Inspector in motion as early as 2015. With the increasing demand for product testing of IoT and embedded devices (due toย stricter regulatory requirements, particularly), the security consultants saw the need for an automated solution to support the relevant security checks. This laid the foundation for IoT Inspector.ย ย
House of Keysย and the Tale of Black Widowย
The first large-scale research project took place the same year. Security researcherย Stefan Viehbรถckย developed an analysis softwareย within the “Large-Scale Firmware Analysis” project, which he used to examine the firmware images of over 4,000 different products from over seventy manufacturers. One result: House of Keys. 580 security keys were reused and found inย a large number ofย devices – making their encryption obsolete and exposing numerous devices to an increased security risk.ย ย
The brand “IoT Inspector” was first used in 2016, when a serious backdoor was uncovered in several devices from the American conference room equipment manufacturer AMX – whose products were used at the time in the White House, particularly. The devices had secret credentialsย (code name: black widow)ย thatย allowย the manufacturer (and possibly others) to easily gain access to the devices and spy on its customers.ย This backdoor was discovered during a manual analysis and subsequently added to IoT Inspector’s database.ย It isย alsoย worth mentioningย that the manufacturer has assured that it hadย gotten rid ofย the backdoor during a security update. However, a new analysis by IoT Inspector showed the backdoor was not removed, only renamed…ย ย
In the same year, we achieved another brilliant success:ย Many companies use cameras to monitor their premises and protect themselves from intruders. Paradoxically, sometimes the cameras themselves are not sufficiently secured against external attacks. For example, a backdoor was discovered in Sony’s IPELA Engine IP series, which enabled potential attackers to upload arbitrary code to the affectedย devicesviii. This would have allowed hackers to gain access to the targeted corporate network, disable or manipulate the cameras, connect them to a botnet, or simply spy on the owner. This example also shows the great potential of undiscovered security vulnerabilities, asย many firmware components are used in different devices.ย In the case ofย Sony, IoT Inspector could automatically identify over 80 other models that were affected by this critical vulnerability (which has fortunately since been fixed).ย
A vulnerability of even greater magnitude was discovered in 2018ย in the course ofย research around the automated detection of management protocols and supported cloud backends in IoT firmware at the Chinese OEM manufacturerย Xiongmai. Its white-label components are used in products around the globe. Accordingly, over 9 million cameras were equipped with a remote monitoring feature enabled by default (“XMEyeย P2P cloud”), which was affected by critical security vulnerabilities. Of course, since then, vulnerable connections to theย XMEyeย P2P cloud can be detected automatically by IoT Inspector, in addition to dozens of other management protocols.ย
An Overviewย of IoT Inspector in Actionย
Toย goย intoย allย theย findingsย inย detailย wouldย beย beyondย theย scopeย here, butย weย canย sayย thisย much: Theย researchย teamย ofย SECย Consultย isย alwaysย veryย ambitiousย inย itsย fightย forย moreย cybersecurity.ย ย
To continuously develop IoT Inspector’s analysis capabilities, we work with established security experts, including Red Alert Labs,ย QGroup, TรVย Rheinland, TรV Hessen and VDE-Cert.ย Our analysis platform supports the security research of our research partners, and insights from their manual security analyses in turn migrate into the vulnerability modules of IoT Inspector. If you are also interested in a research partnership, we look forward toย hearing from you.ย ย
#makeIoTsecure – IoT Security for Your Company ย
Ourย missionย is to make the Internet of Things secure. That’s why we developed IoT Inspector – the leading European solution for automated firmwareย securityย analysis and compliance checks. To make our technology accessible to the widest possibleย audience, in June 2020 we completely separated fromย SEC Consult Group (disclaimer: SEC Consult has meanwhile beenย acquired by Atos).ย ย
Since then, IoT Inspector has been an independent company based in Bad Homburg, Germany. In September 2020,ย we received aย first round of financing from Germanย VCย eCAPITAL. Within the company, a team of highly motivated security experts from six countries is continuously expanding and improving the platform’s analysis capabilities.ย ย
ONEKEY – How it Works
- For a demo or trial, we upload your firmware images to the intuitive ONEKEY web platform (hosted in our 27001 certified data center) ย
- For production, you may use the powerful API interface for upload, controls and reporting.ย ย
- Automatically checkย for security and compliance with our continuousย analysis engineย
- Receive smart reports and alerts within minutes, via API, via online portal and email.
Whether you manufacture IoT products yourself, distribute them (e.g.ย as a telecommunications service provider), perform security audits for your customers, certify devices, or use them in your company: we can help. Don’t ignore the security risk of your IoT devices and requestย yourย free demo today!ย
Our Advisory Archive
2015
2015-04: TP Link
2015-05: Kernel
2015-11: Houseย ofย Keys
2015-11:ย Ubiquitiย Networks
2016
2016-01: AMXย
2016-06: Ubee
2016-09: Aruba Networks
2016-09: Houseย ofย Keys Follow Upย
2016-12: Sonyย
2016-12: AGFEOย
2017
2017-01:ย Ubiquitiย Networksย
2017-02:ย Jungย
2017-03:ย Western Digitalย Myย Cloud
2017-03:ย Ubiquitiย (again)
2017-03:ย SolarLogย
2017-05: Western Digitalย TV Mediaย Playerย
2017-06:ย Wimax, Zyxel, Huaweiย ย ย
2017-06:ย Cisco Prime Infrastructure
2017-06: Linksysย
2017-06:ย Kathreinย
2017-06 & 2017-07ย & 2017-07 & 2017-07 & 2017-08 & 2017-09:ย Ubiquiti
2017-11:ย Siemens
2017-11:ย Wagoย
2018
2018-01:ย Sprecher Automation
2018-02:ย Vibratissimoย
2018-02:ย miSafes
2018-04:ย Zyxelย ZyWALL
2018-05: TR-069
2018-05: VGate
2018-06:ย Siglentย Technologies
2018-07: Wago
2018-07:ย ADB 1, ADB 2, ADB 3
2018-10: Ciscoย ย
2018-10:ย Xiongmaiย
2019
2020
2020-01:ย Phoenixย Contact
2020-02:ย Redย Lion
2020-05: Ciscoย
2020-07: ZTEย
2020-10: Hรถrmannย
2020-10:ย RocketLinx
2020-10: Pepperl+Fuchsย