[German]Security experts from IoT-Inspector have tracked down a total of 7,339 dangerous vulnerabilities in popular gifts such as connected children's toys, smart speakers or hobby drones. In terms of security, that's likely to be the collective horror under the Christmas tree. Products from well-known manufacturers are also represented.
Technical gadgets such as interactive toys, smart household appliances or networked consumer electronics can be found under the Christmas tree. Security experts from IoT Inspector therefore examined popular items from well-known manufacturers (including those from the USA and Germany) and came to some frightening conclusions: Each of these products has hundreds of vulnerabilities that, in the worst case, give attackers access to the devices. The attackers are then able to access private networks, steal data, manipulate devices or incorporate hijacked devices into their botnets.
Fictitious gift basket with six products
IoT Inspector's security experts examined a fictitious gift basket containing six products from reputable manufacturers. In the process, they found a total of more than 7,000 vulnerabilities, they wrote in a statement I received in a direct mail. In most cases, outdated software with known vulnerabilities was used, in some cases even in the latest firmware version. However, the investigation also identified previously unknown vulnerabilities, which were immediately reported to the manufacturers.
In addition, the specialists found defective maintenance accesses that allow attackers to remotely control the device. In the worst case, this could allow the devices to spy on their owners or be used as a weapon for attacks on other targets.
"To our dismay, we found that often not even basic security measures are followed: For example, manufacturers sometimes use unencrypted transport routes for their firmware updates. Cybercriminals can thus redirect data traffic and introduce malware into the devices," explains Rainer M. Richter, Managing Director of IoT Inspector GmbH.
"Some devices also store the user's WiFi password in plain text. In combination with other vulnerabilities, the password can be easily read, and attackers could gain unauthorized access as a result. These are typical reasons why IoT device vulnerabilities are now one of the main gateways for attackers." The following devices were examined:
- Smart speaker with voice control from a well-known German manufacturer: 1,634 vulnerabilities.
- Messenger for children advertised as "secure" by a leading global educational toy provider: 1,019 vulnerabilities
- Drone from one of the largest vendors in this sector: 1,250 vulnerabilities
- Smart home camera system from a U.S. industry giant: 1,242 vulnerabilities
- Pet surveillance camera, which is often also used as a baby cam: 643 vulnerabilities
- Streaming device for children advertised as having "the greatest data security": 1,551 vulnerabilities
"It was important to us not only to investigate 'no name' cheap products, but to show that the dangers also lurk in products from reputable companies," Richter said. "Overall, the entire industry needs to finally consider and implement IoT device security from the start."
Caution with IoT devices
As a general rule, caution should be exercised with IoT devices and a separate network segment should be set up for them, security experts said. In addition, buyers should heed the following tips:
- Check to see if the manufacturer has a website. Many manufacturers who sell their products on popular online marketplaces are ominous sellers without an Internet presence or a way to contact them.
- Check if the manufacturer provides regular firmware updates (preferably automatically).
- Change the password immediately if the device comes with a default password.
- Find out how much personal information and data you provide to a device. What does the device need this data for and where is it stored (only locally or also in the cloud)? Many devices work with facial, voice and fingerprint recognition or take pictures and videos of your home, family, children. Ask yourself if a device really needs all this information.
- Be aware of the attack surface. For example, the range (and therefore attack surface) of Bluetooth connections is five to ten meters; for a WiFi connection, it's up to a hundred meters. A device that is controlled online via an app can potentially be attacked from anywhere in the world.
With this in mind, have a happy, reflective and, above all, safe Christmas.
About IoT Inspector
IoT Inspector is Europe's leading platform for automated security analysis of IoT firmware. It not only makes it possible to identify vulnerabilities and security risks in the firmware of an IoT device in the most efficient way, but also to examine it for compliance with international security standards with the help of the integrated Compliance Checker. Worldwide, IoT Inspector is used by enterprises, infrastructure providers, manufacturers, consultancies and researchers.