A follow up study investigating the security of IoT devices has found that since 2013 vulnerability rates are not decreasing.
Research firm Independent Security Evaluator (ISE) published a study in 2013, “SOHOpelessly Broken 1.0” which looked into the vulnerabilities across 13 SOHO wireless routers and NAS devices, to which a total of 52 vulnerabilities were found in devices made by vendors including Belkin, Asus, TP-Link and Linksys.
The results of a follow-up study were published yesterday, and it was revealed that the same number of devices examined in 2013, were now affected by a total of 125 vulnerabilities.
The researchers explained in a blog post, that these particular devices were focused on due to their security implications to network, as well as wanting to see if there had been any improvements made to the security performance of these devices.
In their latest study, 13 contemporary IoT devices had been tested, to which in 12 out of 13 cases, researchers managed to obtain remote root-level access. Other vulnerabilities identified included buffer overflow issues, command injection security flaws and cross-site scripting (XSS) errors.
ISE stated that for every device that been examined, it had contained at least one vulnerability which could be exploited. A total of six devices were susceptible to remote exploit without authentication.
ISE researcher Joshua Meyer commented:
“We were expecting to find issues in the devices; however, the number and severity of the issues exceeded those expectations. Our first reaction to a lot of our findings was: ‘It can’t really be this easy, right?”
The researchers disclosed all of the vulnerabilities to the device manufacturers. The majority of companies have acknowledged the issue, whilst others are working on addressing the vulnerabilities.
“Our results show that businesses and homes are still vulnerable to exploits that can result in significant damage,” says ISE researcher Rick Ramgattie. “These issues are completely unacceptable in any current web application. Today, security professionals and developers have the tools to detect and fix most of these types of issues which we found, exploited, and disclosed six years ago. Our research shows that they are still regularly found in IoT devices.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.