Internet Of Things Contains Average Of 25 Vulnerabilities Per Device

  /     /     /  
Publicated : 22/11/2024   Category : security


Internet Of Things Contains Average Of 25 Vulnerabilities Per Device


New study finds high volume of security flaws in such IoT devices as webcams, home thermostats, remote power outlets, sprinkler controllers, home alarms, and garage door openers.



A new study published this week found that among even among just a small sample of some of the most popular and prevalent Internet of Things (IoT) devices, researchers uncovered 250 vulnerabilities -- many of which were severe and resulted in remote code execution, including vulnerabilities to Heartbleed, denial of service, and cross-site scripting.
Conducted by researchers at HP Fortify,
the study
was meant to demonstrate what may be found when a more comprehensive and disciplined approach is taken to examining this growing new class of devices.
Daniel Miessler, practice principle for Fortify On Demand at HP Fortify, who led the project, says many of the vulnerability discoveries announced about IoT devices over the last couple of years have been one-off findings.
We havent really seen a comprehensive approach when people talk about it -- they might talk about one vulnerability on the device or one relevant Internet vulnerability, he says, explaining that what makes IoT devices different is their multi-faceted nature. When you think about what all is involved in an Internet of Things device, youve got the device itself, network access, authentication, the Internet component; and all these pieces together are what stack up to be the Internet of Things device. If youre not looking at the big picture, youre missing a lot of stuff.
This is why Miessler earlier this year collaborated with researchers Craig Smith and Jason Haddix to come up with the
OWASP Internet of Things Top Ten Project
, which delineates the top 10 security problems seen in IoT devices and tips on how to prevent them. For the study, he used that list as a backbone for testing 10 common devices, including a webcam, home thermostat, sprinkler controller, home alarm, and garage door opener.
Among those 10 devices, HP Security Research found an average of 25 vulnerabilities per device. Seven out of 10 of the devices when combined with their cloud and mobile applications gave attackers the ability to identify valid user accounts through enumeration. Nine out of 10 devices collected at least one piece of personal information through the device or related cloud or mobile app; and six of the devices had user interfaces vulnerable to a range of web flaws such as persistent XSS.
We had one where you were able to log in and get root access to the device, and from there you could actually run and execute commands, pivot over to various locations on the internal  network, Miessler tells us.
He explains that, though many IoT devices are marketed to consumers, these rampant vulnerabilities have quite a bit of relevance for enterprises as well.
Theyre not going to be closed to the devices we have here: TVs, webcams, home thermostats. Theyre not adverse to rolling out prosumer versions of these products, and were already getting pings from our large corporate customers asking how secure these exact devices are.
And thats not to mention other very corporate devices such as SCADA networks, which exhibit the same multi-faceted attack surfaces as consumer IoT devices, he says. The biggest thing he wants enterprises to realize is they need to broaden their testing horizons lest they miss some very glaring vulnerabilities.
Its not just cloud, its not just the device, and its not just network security, says Miessler. People shouldnt view it as a one-dimensional problem.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Internet Of Things Contains Average Of 25 Vulnerabilities Per Device