CDSA

CES 2019: Independent Security Evaluators Tackles IoT Vulnerabilities

Heading into the 2019 CES show, security research and consulting firm Independent Security Evaluators (ISE) is stepping up its research into security vulnerabilities with Internet of Things (IoT) devices.

To date, the ISE Labs division of the company has identified vulnerabilities with nearly two dozen products, and has reported the all the findings for these new vulnerabilities found to the manufactures, including Buffalo, ASUS, TerraMaster, Drobo, ZyXel, Asustor, QNAP, Xiaomi and Lenovo.

Just on Jan. 2, ISE Labs published its latest IoT warning, this time for the Vivotek FD8369A-V IP camera, demonstrating how remote attackers can gain control of the device. “Given the ability to communicate with the camera over a network, an attacker can potentially target all of Vivotek, Inc.’s cameras running firmware version 0206b,” wrote ISE associate security analyst Paul Yun.

“It is important to realize that the growing amount of services and features in embedded devices has also increased the attack surface available to remote adversaries.”

In November alone, ISE Labs shared nearly a dozen cases of IoT security problems, including for the TerraMaster TOS 3.1.03, the Lenovo ix4–300d, the ASUSTOR AS-602T, and the ZyXEL NSA325.

“ISE Labs … discovered five new vulnerabilities in the web interface for the ASUS RT-AC3200 router and other devices running ASUSWRT,” wrote Shaun Mirani, junior security analyst with ISE, in a post about the security problems with some ASUS devices. “This is a diverse set of flaws; in addition to finding traditional web application issues like XSS, CSRF, and command injection, we identified a pair of memory corruption/disclosure bugs that enable an authenticated attacker to run arbitrary code as root.”

With hundreds of new IoT devices set to be unveiled in Las Vegas at CES, ISE Labs will have plenty of work ahead of it in the coming months.

“By now, we’ve all heard that the IoT security outlook is bleak. But the implications are especially serious for media and entertainment, an industry heavily reliant on the safe storage, processing, and transmission of proprietary content,” an ISE rep told the Media & Entertainment Services Alliance (MESA).

Of the 13 SOHO routers and enterprise NAS devices ISE assessed in the last year, all contained high-severity vulnerabilities that threat actors can exploit to steal valuable intellectual property. Even machines that don’t directly touch sensitive data can serve as pivot points for attackers to spread further into the network, eventually enabling a breach.

“It’s important to understand the very real risk that inadequately secured devices pose. These are not complicated attacks, limited to the realm of state and corporate espionage – they’re often trivial to conduct and are absolutely within the reach of unskilled adversaries with limited funding,” ISE said. “M&E organizations without a mitigation strategy for IoT bugs are effectively gambling with high-value assets. Any company working with content worth protecting should undergo a professional security assessment to identify vulnerable devices living on its networks, determine what liability they carry, and secure them appropriately.”

For more information about ISE Labs, click here.