Header Iotinspector Cat

Door opener IoT: 90 percent of the firmware files contain critical security vulnerabilities

The Internet of Things is a door opener – in two ways. On the one hand, IoT companies open up new lucrative business areas and enable a fully networked business world. On the other hand, IoT devices are also ideal hacker gateways, increasing the cyber-attack area of ​​businesses immensely.

The fact is, the security of IoT devices is still severely neglected and their firmware is usually swarming with vulnerabilities, much to the delight of cyber attackers. As recent research by the IoT Inspector firmware analysis platform has shown, more than 90 percent of the firmware files had critical vulnerabilities. These include hard-coded passwords in the firmware file system, system configuration vulnerabilities, or SSH host keys. However, the most frequently identified vulnerability – and thus n°1 vulnerability  – are hidden standard user credentials, according to the report.

20 backdoors in network camera: a stroke of luck for hackers

Let’s have a brief look into the network camera of an American provider of surveillance systems. Here, the static and dynamic firmware analysis of the IoT Inspector was able to identify a total of 26 different user accounts, even though the corresponding manual only listed three corresponding accounts. This network camera – actually used for security purposes – bore no less than 20 backdoors, including a Trojan horse.

The recent headlines about the presumed hack by Russian hacker group APT28 show that vulnerabilities such as these are also exploited by cybercriminals. The criminals, to whom the burglaries in the Bundestag, the Foreign Office as well as manipulation of the last US elections are attributed, attacked corporate networks via a VoIP phone, an office printer and a video player in order to access the root and expand from there., Unmodified default passwords set by the manufacturer and neglected critical security updates played into their hands.

Lack of risk awareness

If classic end-devices such as PCs, servers or notebooks are nowadays adequately monitored and, thanks to innovative AI-based endpoint protection, more and more effectively secured, the danger posed by IoT devices is still greatly underestimated and the corresponding security checks are prioritized with fatal consequences. However, printers, webcams, routers, Wi-Fi access points, and climate controls are at least as vulnerable as the classic computer, offering attackers the same ability to infiltrate networks or capture sensitive data. Consider the latest headlines about ransomware attacks on Canon SLR cameras.

Safety tests show where action is needed

As long as market leaders such as Cisco or Microsoft fail to deliver firmware free from vulnerabilities, companies and service providers are urged to actively seek out vulnerabilities in devices themselves. In order not to experience any nasty surprises later on, the firmware of new IoT devices ideally must be checked for vulnerabilities such as hard-coded hashes even before they are used. Only this way can protective and defense measures, such as firewall configurations, be adjusted in time.


ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.



Sara Fortmann

Marketing Manager



euromarcom public relations GmbH

+49 611 973 150