It is no secret that the implementation of security mechanisms for IoT devices is far from perfect. Known smart device vulnerability categories are well described in the Top IoT Vulnerabilities 2018. The previous version of the document from 2014 underwent many changes: some points disappeared completely, others were updated, new ones appeared.


To show the relevance of this list, we found examples of vulnerable IoT devices for each type of vulnerability. Our goal is to demonstrate the risks that smart device users face every day.


Vulnerable devices can be completely different - from children's toys and alarms to cars and refrigerators. Some devices are found on our list more than once. All this, of course, is an indicator of the low level of security of IoT devices in general.


ITKarma picture


Follow the details under cat.


I1 Weak, predictable, and hard-coded passwords


Use of vulnerable to brute force, publicly available (for example, from the instructions) or unchangeable passwords, including backdoors in the firmware or client software, which allows unauthorized access to the system.


Device Type Title CWE Security flaw
ITKarma picture Routers Netgear CWE-601: URL Redirection to Untrusted Site ('Open Redirect') Anyone on the network can take advantage of the configuration confusion to gain control of the device, change DNS settings, and redirect the browser to infected sites.
ITKarma picture Loxone Smart Home CWE-261: Weak Encoding for Password An attacker can gain access to user passwords, and hence to their accounts.
ITKarma picture AGFEO smart home ES 5xx/6xx CWE-261: Weak Encoding for Password An attacker can gain access to user passwords, and hence to their accounts.
ITKarma picture Industrial wireless access point Moxa AP CWE-260: Password in Configuration File An attacker can log in with a login-password pair from the administrator account specified in the instructions and gain access to manage the entire system.
ITKarma picture Heatmiser Thermostat CWE-260: Password in Configuration File An attacker can log in with a login-password pair from the administrator account specified in the instructions and gain access to manage the entire system.
ITKarma picture Digital video recorder Mvpower CWE-521: Weak Password Requirements The administrator account does not require a password at the entrance, so anyone can get access to it.
ITKarma picture DBPOWER U818A WIFI quadcopter drone CWE-276: Incorrect Default Permissions An attacker could gain access to the file system using anonymous access without a password.
ITKarma picture Nuuo NVR (network video recorder) and Netgear CWE-259: Use of Hard-coded Password An attacker can gain administrator privileges, which means full control over the system due to a hard-coded password.
ITKarma picture Vacuum Cleaner LG CWE-287: Improper Authentication An attacker can bypass authentication and access video recordings from a device.
ITKarma picture Eminent EM6220 Camera CWE-312: Cleartext Storage of Sensitive Information The instructions specify the password 123456, which most users will install without hesitation and make their device vulnerable.
ITKarma picture LIXIL Satis Toilet CWE-259: Use of Hard-coded Password The password for connecting the device via Bluetooth is stored in clear text, which gives an attacker the ability to control the operation of a smart toilet at will and against the will of the owner.
ITKarma picture FUEL Drill CWE-259: Use of Hard-coded Password An attacker can find a hard-coded password and gain administrator rights and manage the device.
ITKarma picture Billion Router 7700NR4 CWE-798: Use of Hard-coded Credentials Hard-coded credentials give an attacker the ability to take complete control of a device.
ITKarma picture Canon Printers CWE-269: Improper Privilege Management & amp; CWE-295: Improper Certificate Validation An attacker can gain access to an insecure device and update the firmware because a username and password are not required to access the device.
ITKarma picture Parrot AR.Drone 2.0 CWE-285: Improper Authorization An empty username/password pair allows an attacker to connect to and control the drone.
ITKarma picture Camera Amazon Ring CWE-285: Improper Authorization An attacker can use the default credentials for authorization.

I2 Insecure network connections


Redundant or insecure connections (especially with Internet access) may compromise the confidentiality, integrity/authenticity or availability of information or provide the possibility of unauthorized remote control over the device.


Device Type Title CWE Security flaw
ITKarma picture Smart Massager CWE-284: Improper Access Control An attacker can change the parameters of a massager and hurt a user, cause skin burns and harm health.
ITKarma picture Implantable Cardiac Device CWE-284: Improper Access Control An attacker can change the settings of an implantable device, which can increase battery consumption and/or damage health.
ITKarma picture Hikvision Wi-Fi IP Camera CWE-284: Improper Access Control An attacker can remotely control the camera and even disable it.
ITKarma picture Foscam C1 Indoor HD Cameras CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Remote code execution on cameras can lead to leak of sensitive user information.
ITKarma picture Toy Furby CWE-284: Improper Access Control An attacker can make firmware changes and use Ferby to spy on children.
ITKarma picture Toy My Friend Cayla CWE-284: Improper Access Control An attacker can monitor users and collect information about them.
ITKarma picture iSmartAlarm CWE-20: Improper Input Validation An attacker can freeze an alarm and stop waking up.
ITKarma picture iSPY Camera Tank CWE-284: Improper Access Control An attacker can log in to the device as an anonymous user and gain control over the device’s file system.
ITKarma picture DblTek GoIP CWE-598: Information Exposure Through Query Strings in GET Request An attacker can send commands to change the configuration or turn off the device.
ITKarma picture Nuuo NVR (network video recorder) and Netgear CWE-259: Use of Hard-coded Password An attacker can gain administrator privileges, change device settings, and even monitor users.
ITKarma picture Sony IPELA Engine IP Cameras CWE-287: Improper Authentication An attacker can use the camera to send photos and videos, add the camera to the Mirai botnet, or monitor users.
ITKarma picture iSmartAlarm CWE-295: Improper Certificate Validation An attacker could obtain a password or other user data using a fake SSL certificate.
ITKarma picture Routers Dlink 850L CWE-798: Use of Hard-coded Credentials Due to an insecure network connection, an attacker could gain complete control over the device.
ITKarma picture Amazon's Ring Video Doorbell CWE-419: Unprotected Primary Channel Credentials for connecting to the device are transmitted over an insecure communication channel.
ITKarma picture Cacagoo IP camera CWE-287: Improper Authentication An attacker can take advantage of the unauthorized access to the device and then manage it.
ITKarma picture Trifo Ironpie M6 Vacuum cleaner CWE-284: Improper Access Control An attacker can remotely connect to and manage a device.

I3 Unsafe ecosystem interfaces


Insecure backend APIs, web, cloud, and mobile interfaces in the ecosystem outside the device, through which you can compromise the device or its associated components. Common problems include lack of authentication/authorization, missing or weak encryption, lack of input/output filtering.


Device Type Title CWE Security flaw
ITKarma picture Industrial wireless access point Moxa AP CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') An attacker can gain access to a session that never expires.
ITKarma picture AXIS cameras CWE-20: Improper Input Validation Злоумышленник может изменить любой файл в системе, получив права администратора.
ITKarma picture Belkin’s smart home products CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') & CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Злоумышленник может получить достук к телефону и чувствительной информации.
ITKarma picture Routers D-Link DIR-300 CWE-352: Cross-Site Request Forgery (CSRF) Злоумышленник может изменить пароль от учетной записи администратора и получить его привилегии.
ITKarma picture AVTECH IP Camera, NVR, DVR CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Злоумышленник может изменять настройки устройства через атаку CSRF (например, пароли пользователей).
ITKarma picture AGFEO smart home ES 5xx/6xx CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Злоумышленник может получить доступ ко всем файлам, хранящимся в системе. Он может изменить конфигурацию устройства и установить нелегитимное обновление.
ITKarma picture Loxone Smart Home CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Все функции устройства могут контролироваться злоумышленником через команды веб-интерфейса.
ITKarma picture Switch TP-Link TL-SG108E CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Злоумышленник может реализовать XSS-атаку на устройство и "заставить" администратора выполнить Javascript-код в браузере.
ITKarma picture Hanbanggaoke IP Camera CWE-650: Trusting HTTP Permission Methods on the Server Side Злоумышленник может изменить пароль администратора и получить его привилегии.
ITKarma picture iSmartAlarm CWE-287: Improper Authentication Злоумышленник может отправлять команды на устройство, включать и выключать его.
ITKarma picture Western Digital My Cloud CWE-287: Improper Authentication Злоумышленник может получить полный контроль над устройством.
ITKarma picture In-Flight Entertainment Systems CWE-287: Improper Authentication An attacker can control the means of informing passengers. For example, it can fake flight data (altitude, speed, etc.).
ITKarma picture Smart key KeyWe CWE-327: Use of a Broken or Risky Cryptographic Algorithm An attacker can learn the private key to open the door.

I4 Lack of a secure update mechanism


The inability to safely update the device. It includes the lack of firmware validation, the lack of safe delivery of updates to the device (unencrypted transfer), the absence of mechanisms prohibiting rollback to older versions of the firmware, and the absence of notifications about security-related updates.


Device Type Title CWE Security flaw
ITKarma picture Devices by GeoVision CWE-295: Improper Certificate Validation An attacker can update the device firmware without authorization.
ITKarma picture Canon Printers CWE-295: Improper Certificate Validation There is no authentication mechanism: anyone can access the device and update/change the firmware.
ITKarma picture Smart Nest Thermostat CWE-940: Improper Verification of Source of a Communication Channel The firmware is delivered to the device via an insecure data transfer protocol, and there is no way to verify its legitimacy.

I5 Using unsafe or outdated components


Use of invalid or insecure software components and/or libraries that could compromise the device. This includes unsafe OS customization and the use of third-party software or hardware obtained through a compromised supply chain.


Device Type Title CWE Security flaw
ITKarma picture Amazon Echo CWE-1233: Improper Hardware Lock Protection for Security Sensitive Control An attacker can use a soldering iron to change the column configuration and turn it into a device for wiretapping.
ITKarma picture Light bulb CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls An attacker can solder lamp elements.

I6 Inadequate privacy protection


User personal data is stored on a device or in an ecosystem that is used inappropriately or improperly, or without appropriate rights.


Device Type Title CWE Security flaw
ITKarma picture Gator 2 smartwatch CWE-359: Exposure of Private Information ('Privacy Violation') An attacker can gain access to information on the firmware version, IMEI, time, location determination method (GPS/Wi-Fi), coordinates and battery level.
ITKarma picture Routers D-Link DIR-600 and DIR-300 CWE-200: Information Exposure An attacker can gain access to sensitive device information or make it part of a botnet.
ITKarma picture Samsung Smart TV CWE-200: Information Exposure An attacker can gain access to binary files or audio files stored on a TV system.
ITKarma picture Home security camera CWE-359: Exposure of Private Information ('Privacy Violation') User photos can be stolen by an attacker and published on the network.
ITKarma picture Smart sex toys We-Vibe CWE-359: Exposure of Private Information ('Privacy Violation') An attacker can obtain information about the temperature of the device and the intensity of its vibration.
ITKarma picture iBaby M6 baby monitor CWE-359: Exposure of Private Information ('Privacy Violation') An attacker can view information, including video details.

I7 Insecure data transfer and storage


Lack of encryption or access control for sensitive information within the ecosystem - during storage, transmission or processing.


Device Type Title CWE Security flaw
ITKarma picture Owlet Wi-Fi baby heart monitor CWE-201: Information Exposure Through Sent Data An attacker can monitor children and parents through a camera.
ITKarma picture Samsung fridge CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') An attacker could obtain credentials from victims' Google accounts.
ITKarma picture Volkswagen car CWE CATEGORY: Cryptographic Issues An attacker could gain remote control of a machine.
ITKarma picture HS-110 Smart Plug CWE-201: Information Exposure Through Sent Data An attacker can control the operation of the plug, for example, turn off the backlight.
ITKarma picture Loxone Smart Home CWE-201: Information Exposure Through Sent Data An attacker can control every device running on a smart home system and gain user access rights.
ITKarma picture Samsung Smart TV CWE-200: Information Exposure An attacker can listen on a wireless network and initiate a brute force attack to recover the key and decrypt traffic.
ITKarma picture Routers Dlink 850L CWE-319: Cleartext Transmission of Sensitive Information An attacker can remotely control a device.
ITKarma picture Skaterboards Boosted, Revo, E-Go CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') An attacker can send various commands to control a skate.
ITKarma picture LIFX smart LED light bulbs CWE-327: Use of a Broken or Risky Cryptographic Algorithm An attacker can intercept and decrypt traffic, including network configuration data.
ITKarma picture Stuffed toys CWE-521: Weak Password Requirements User recordings are stored so that an attacker can gain access to them.
ITKarma picture IoT Smart Deadbolt CWE-922: Insecure Storage of Sensitive Information An attacker could gain access to sensitive information stored on a device.
ITKarma picture Router ASUS CWE-200: Exposure of Sensitive Information to an Unauthorized Actor An attacker could gain access to sensitive user information.

I8 Inability to configure the device


Lack of security support for devices released into production, including update management, safe decommissioning, system monitoring, and response tools.


Device Type Title CWE Security flaw
ITKarma picture TP-LINK IP Surveillance Camera CWE-? (failed to find CWE) An attacker can freely exploit a vulnerability in a device because it is outdated and not updated.

I9 Insecure default settings


Devices or systems that come with unsafe factory settings or without the ability to restrict user configuration changes to increase system security.


Device Type Title CWE Security flaw
ITKarma picture ikettle Smarter Coffee machines CWE-15: External Control of System or Configuration Setting An attacker can gain complete control over a device due to the fact that most users do not configure coffee machines for themselves, but leave them with factory unsafe settings.
ITKarma picture Parrot AR.Drone 2.0 CWE-284: Improper Access Control Aircraft settings suggest the possibility of unauthorized connection to it and control it.
ITKarma picture HP Fax machine CWE-276: Incorrect Default Permissions An attacker can take advantage of incorrect fax settings and a complete lack of security mechanisms.
ITKarma picture Smart speakers CWE-1068: Inconsistency Between Implementation and Documented Design Columns are activated by words not specified in the instructions and listen to what is happening.

I10 Lack of physical protection


The lack of physical protection allows a potential attacker to gain access to sensitive information that can be useful in a remote attack or to gain control of a device.


Device Type Title CWE Security flaw
ITKarma picture Baby monitors Mi-Cam CWE-284: Improper Access Control An attacker can spy on users.
ITKarma picture TOTOLINK router CWE-20: Improper Input Validation An attacker can implement a backdoor.
ITKarma picture Router TP-Link CWE-284: Improper Access Control An attacker can gain administrator privileges and make a device part of a botnet through an insecure UART.
ITKarma picture Smart Nest Thermostat CWE-284: Improper Access Control An attacker can load a processor through a peripheral device via USB or UART.
ITKarma picture Blink XT2 Sync Module CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls An insecure connector allows an attacker to connect to the device.
ITKarma picture Amazon Echo CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls An attacker can use a soldering iron to change the configuration of the column, turning it into a device for wiretapping.

Unfortunately, this list goes on and on. More and more IoT devices are appearing on the market, which means that cybercriminals have new opportunities to achieve their goals. Our selection of vulnerable IoT devices is not the only one, and we suggest you learn more about them: Safegadget , Exploitee and Awesome IoT Hacks


As you can see, most of the vulnerabilities belong to one of ten categories of the OWASP list, which means that the creators of IoT devices do not learn from each other's mistakes. Most vulnerabilities are related to application security. Some of the mentioned devices have already become part of the botnets, as measures taken by vendors to improve security were insufficient.


The US National Institute of Standards and Technology has issued Interdepartmental Status Report International Cybersecurity Standardization for the Internet of Things (IoT) . This document provides software security standards and recommendations for improving its security. In addition, manufacturers of IoT devices are encouraged to use software that can prevent, detect and mitigate the harmful effects on manufactured devices.


Before buying an IoT device, read as many reviews as possible to choose the safest one. And remember: there are no healthy ones, there are unexplored ones. Therefore, our other recommendation is to increase the security level of your IoT devices on your own, for example, by setting a complex password in the settings. Or pay attention to the popular project OpenWrt , which significantly increased the security of IoT devices, especially those that are "forgotten" by vendors.


In turn, we offer the IoT and network device security research service . It can be claimed by both manufacturers and buyers of large batches of such devices (for example, perimeter security cameras).

directory

Первоисточник

.

Source