Since its initial development in 2015, the firmware analysis platform ONEKEY (formerly known as IoT Inspector) has analyzed tens of thousands of firmware images for vulnerabilities and compliance violations. Not only have we been able to identify countless misconfigurations and security issues. We have also detected many previously unknown security vulnerabilities for the first time.
It is estimated that over 25 billion devices are already connected to the Internet, and the number is still rising. But as connectivity increases, so do the security risks. According to a study conducted by Nokia, IoT devices already accounted for one-third of all devices affected by security vulnerabilities in 2020. By comparison, the figure was only 16 percent in 2019.
But the Internet of Things goes well beyond smart homes and personal gadgets such as hobby drones and fitness trackers. In over two-thirds of all companies, the number of IoT devices now exceeds the number of traditional endpoints such as notebooks, servers, and desktop systems. Almost as many companies (67 percent) said in a recent survey that they had already experienced security incidents which involved their IoT devices.
These numbers are startling, though unsurprising, as the vast majority of IoT devices operate under questionable security standards: 57% of them are “vulnerable to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers.”
SEC Consult recognized the rapidly growing problem of insecure IoT devices early on and set the success story of IoT Inspector in motion as early as 2015. With the increasing demand for product testing of IoT and embedded devices (due to stricter regulatory requirements, particularly), the security consultants saw the need for an automated solution to support the relevant security checks. This laid the foundation for IoT Inspector.
The first large-scale research project took place the same year. Security researcher Stefan Viehböck developed an analysis software within the “Large-Scale Firmware Analysis” project, which he used to examine the firmware images of over 4,000 different products from over seventy manufacturers. One result: House of Keys. 580 security keys were reused and found in a large number of devices – making their encryption obsolete and exposing numerous devices to an increased security risk.
The brand “IoT Inspector” was first used in 2016, when a serious backdoor was uncovered in several devices from the American conference room equipment manufacturer AMX – whose products were used at the time in the White House, particularly. The devices had secret credentials (code name: black widow) that allow the manufacturer (and possibly others) to easily gain access to the devices and spy on its customers. This backdoor was discovered during a manual analysis and subsequently added to IoT Inspector’s database. It is also worth mentioning that the manufacturer has assured that it had gotten rid of the backdoor during a security update. However, a new analysis by IoT Inspector showed the backdoor was not removed, only renamed…
In the same year, we achieved another brilliant success: Many companies use cameras to monitor their premises and protect themselves from intruders. Paradoxically, sometimes the cameras themselves are not sufficiently secured against external attacks. For example, a backdoor was discovered in Sony’s IPELA Engine IP series, which enabled potential attackers to upload arbitrary code to the affected devicesviii. This would have allowed hackers to gain access to the targeted corporate network, disable or manipulate the cameras, connect them to a botnet, or simply spy on the owner. This example also shows the great potential of undiscovered security vulnerabilities, as many firmware components are used in different devices. In the case of Sony, IoT Inspector could automatically identify over 80 other models that were affected by this critical vulnerability (which has fortunately since been fixed).
A vulnerability of even greater magnitude was discovered in 2018 in the course of research around the automated detection of management protocols and supported cloud backends in IoT firmware at the Chinese OEM manufacturer Xiongmai. Its white-label components are used in products around the globe. Accordingly, over 9 million cameras were equipped with a remote monitoring feature enabled by default (“XMEye P2P cloud”), which was affected by critical security vulnerabilities. Of course, since then, vulnerable connections to the XMEye P2P cloud can be detected automatically by IoT Inspector, in addition to dozens of other management protocols.
To go into all the findings in detail would be beyond the scope here, but we can say this much: The research team of SEC Consult is always very ambitious in its fight for more cybersecurity.
To continuously develop IoT Inspector’s analysis capabilities, we work with established security experts, including Red Alert Labs, QGroup, TÜV Rheinland, TÜV Hessen and VDE-Cert. Our analysis platform supports the security research of our research partners, and insights from their manual security analyses in turn migrate into the vulnerability modules of IoT Inspector. If you are also interested in a research partnership, we look forward to hearing from you.
Our mission is to make the Internet of Things secure. That’s why we developed IoT Inspector – the leading European solution for automated firmware security analysis and compliance checks. To make our technology accessible to the widest possible audience, in June 2020 we completely separated from SEC Consult Group (disclaimer: SEC Consult has meanwhile been acquired by Atos).
Since then, IoT Inspector has been an independent company based in Bad Homburg, Germany. In September 2020, we received a first round of financing from German VC eCAPITAL. Within the company, a team of highly motivated security experts from six countries is continuously expanding and improving the platform’s analysis capabilities.
Whether you manufacture IoT products yourself, distribute them (e.g. as a telecommunications service provider), perform security audits for your customers, certify devices, or use them in your company: we can help. Don’t ignore the security risk of your IoT devices and request your free demo today!