IoT device manufacturers missed more than 100 vulnerabilities, argues new security research

The Internet of Things (IoT) security problem is not going anywhere fast; according to new research from Independent Security Evaluators (ISE), 125 vulnerabilities were found across 13 IoT devices analysed.

The Maryland-based security firm found at least one web application vulnerability, such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) in all of the 13 assessed devices.According to ISE, these vulnerabilities could be used by cyber-attackers to get remote access to the device’s shell or to the administrative panel.

ISE conducted its research by acquiring root shells on 12 of the devices, which allowed complete control over them. Six of these can easily get misused remotely without authentication. These devices, described as ‘highly vulnerable’ were the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.

ISE founder Stephen Bono, said: “We found that many of these issues were trivial to exploit and should have been discovered even in a rudimentary vulnerability assessment. This indicates that these manufacturers likely undergo no such assessment whatsoever, that the bug bounty programs they employ are ineffective, that vulnerability disclosures sent to them are not addressed, or more likely, all of the above.”

In August, an ABI Research report argued that certain industries will be ‘woefully underfunded and incredibly vulnerable to cyber-attacks’ as the IoT ecosystem grows. It said he financial, information and communication technologies, and defence industries will account for 56% of the £111 billion projected total cyber security spend in critical infrastructure in 2024.

 Interested in hearing industry leaders discuss subjects like this? Attend the co-located 5G Expo, IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.

Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.