- On 26. Apr
Currently, about ten billion devices worldwide, ranging from refrigerators or vacuum cleaners to video cameras and access control systems, are connected to the internet. These “smart” things are eagerly gathering data and readily providing information. But this is just a sneak peek as opposed to the huge fireworks predicted by Gartner for 2020, with more than 20 billion connected devices. Reason enough for the security experts at SEC Consult to take a closer look and to evaluate the current state of security in the Internet of Things (IoT). First off: There is still much to be done for a carefree handling of intelligent devices, this is for sure!
At the SEC Business Breakfast in Vienna on April 24th, 2018, the experts Florian Lukavsky from SEC Technologies and Stefan Viehböck from SEC Consult gave detailed insights into the world of connected devices. They have analyzed the current IoT landscape in front of 30 interested visitors from various industries. The fact that the IoT is a welcome entry point for cyberattacks hardly surprised anyone of those present. Too many headlines about the Mirai botnet with up to 500,000 endpoints are still in their minds. The reason for all this is quite simple: mobile and IoT devices typically do not offer strong security mechanisms, but have more and more computing power and – most importantly – a broadband internet connection at their disposal.
Thus, security is (still) not the topmost priority concerning IoT devices, and many manufacturers and suppliers are acting grossly negligent: they use poorly programmed firmware. They implement backdoors. They communicate using weak encryption or unencrypted altogether. The exception? No, rather the norm! One example of many is Sony’s IPELA HD security camera. When analyzing the firmware with IoT Inspector it turned out that 80 camera models from this manufacturer are affected by a backdoor vulnerability. An attacker would have easily had foothold inside the network by exploiting the vulnerability and could start further attacks, such as interfering with camera functionality, sending manipulated images/videos, or integrating the cameras into a botnet like Mirai. Or he could just spy on you!
The firmware security analysis platform IoT Inspector was developed by SEC Consult to meet the growing demand to test the security status of IoT firmware efficiently for security risks and to detect security vulnerabilities in “smart” devices. Viehböck and Lukavsky demonstrated the easy handling of this powerful platform. Three steps are sufficient to gain certainty as to whether you can potentially be spied on: Upload the firmware, let IoT Inspector analyze it, view the report. It’s that easy to expose lax manufacturers.