The annual DEF CON conference has identified 47 security vulnerabilities in 23 IoT (Internet of Things) appliances.
IoT Devices continue to show their weaknesses
Just after a month after DEF CON ended, we can conclude the results in the security area of IoT development. A total of 47 newly identified issues were discovered that affect 23 appliances from 21 vendors. The information was disclosed during the Internet of Things (IoT) security talks, hacking contests and workshops.
The cause of the problems fall into several categories:
- Poor design choice – This is when the programming team does not implement good security practices that prevent attackers from exploiting the devices. This may use the transfer of plaintext credentials (usernames and passwords) or embedding insecure default configurations.
- Security exploits – These can be remote arbitrary code executions or backdoors.
- Payload delivery – Compromising security using malware payload.
Affected devices include home security products such as Internet-enable door locks and padlocks from vendors like iBlulock, Quicklock, Plantraco, Ceomate, Elecycle, Vians, Lagute, Okidokeys and Danalock. Serious security problems were identified that include replay and password capture attacks.
Other affected products include a wheelchair that can be compromised via a malicious user who can disable the safety features. Thermostats that utilise weak, plain text protocols allow attackers to cause excessive heating, failures of furnaces or freezing water pipes by manipulating the settings.
A solar array management device has been compromised because of its embedded hard-coded password and an open access connection. Remote controlling such devices can cause a lot of damage both physically and financially.
All of the demonstrated issues allow criminals to operate the compromised devices and also launch additional network attacks against hosts. Tracking and spying of the user’s activities and network traffic is another popular tactic.
The hacks demonstrate that even home networking and security devices can be compromised easily. The results from the DEF CON conference illustrate once again that overall IoT security is in an abysmal state and vendors should seriously focus on amending the known problems before the criminals take advantage of the situation.