Study: Smart Home Office Appliances Are Trojan Horses for Hackers

(I)IoT Security Report 2021 reveals massive weak points in home office security

Bad Homburg, May 18, 2021 — During the Corona pandemic, millions of jobs have been transferred to home offices. While only just under 4% worked from home before the crisis, a quarter of employees in Germany are now doing so. Numerous households use smart devices that are connected to the domestic network — routers, smart vacuum cleaners, media systems, lighting controls and smart locking systems. However, nine out of ten of these devices present blatant security vulnerabilities in their firmware, according to research by IoT security specialist IoT Inspector. For the “(I)IoT Security Report 2021” study, 260 companies from the IT industry were surveyed — 57% see these devices as a risk for hacker attacks on corporate networks. “These smart household and home devices are a Trojan horse that hackers can use to gain access to a household Wi-Fi relatively easily. This allows for connected computers to be attacked, and ultimately also for corporate networks that are accessed via VPN, for example,” explains Rainer M. Richter, Managing Director of IoT Inspector.

Home Office as the Key to Corporate Networks

While 57% of respondents consider a VPN connection to be secure, none of the 260 company representatives surveyed consider this form of encryption to be “very secure.” 30%, on the other hand, rank encryption as “less secure” or even “insecure.” “Accessing and infecting a computer on the local home network is the key to a corporate network. Once that has happened, rarely does anything in the standard corporate setup protect against attacks by ransomware or other malware,” analyzes Rainer M. Richter. With the IoT Inspector platform, his company enables the one-time or ongoing inspection of the firmware of such IoT devices for security vulnerabilities and possible gateways for cyber criminals. The gaps range from Wi-Fi keys that can be easily read in plain text to hidden administrator access in the firmware, which hackers can use to begin their misdeeds in a matter of minutes.

German Federal Office for Information Security (BSI) Warns of Vulnerabilities in Wi-Fi Routers

Security measures or guidelines for such gateways hardly exist in companies, and awareness of the risk is practically non-existent — 71% of company representatives are certain that traditional security mechanisms are no longer sufficient to cover risks from IoT devices. Likewise, 71% believe that measures to secure IoT devices are insufficient. 7% even rate them as “inadequate,” while only 12% of respondents consider the measures to be sufficient. The latest warnings issued by the German Federal Office for Information Security on May 11th underscore these assessments. The BSI publishes an explicit level 3 warning — “the IT threat situation is business-critical.” The vulnerability for so-called “FragAttacks” affects WLAN routers from almost all manufacturers.