Cybercriminals Join the Party
Dangerous Gifts Under the Christmas Tree
At Christmas, people like to give away technical gadgets. But what many people don't realize is that these products have countless security vulnerabilities that attackers use to access private networks, steal data or incorporate hijacked devices into their botnets.
Once again this year, many technical devices such as interactive toys, smart household appliances or networked consumer electronics will be under the Christmas tree. The security experts at IoT Inspector took this as an opportunity to take a closer look at popular items from well-known manufacturers (including those from the USA and Germany). The shocking result: they found a total of over 7,000 vulnerabilities!
In most cases, outdated software with known vulnerabilities was used, sometimes even in the latest firmware version. However, the investigation also identified previously unknown vulnerabilities, which the experts reported to the manufacturers.
Gateway for cybercriminals
The specialists also found defective maintenance access points that allow attackers to remotely control the device. Through this, in the worst case, the devices can spy on their owners or be used as a weapon for attacks on further targets. Many devices did not even comply with basic security measures: For example, manufacturers sometimes used unencrypted transport paths for their firmware updates. Cybercriminals are thus able to redirect data traffic and inject malware into the devices.
Some devices also stored the user's WiFi password in plain text. In combination with other vulnerabilities, this makes it easy to read the password, and attackers could gain unauthorized access as a result. These are all typical reasons why IoT device vulnerabilities are now one of the main gateways for attackers.
These devices were reviewed
When selecting the devices to be examined, IoT Inspector's security experts attached great importance to not only considering no-name cheap products, but to showing that the dangers also lurk in products from reputable companies. The following gadgets were tested:
- Smart speaker with voice control from a well-known German manufacturer: 1,634 vulnerabilities.
- Messenger for children advertised as »safe« by a leading global supplier of educational toys: 1,019 vulnerabilities
- Drone from one of the largest providers in this field: 1,250 vulnerabilities
- Smart home camera system from a major U.S. company: 1,242 vulnerabilities
- Pet surveillance camera, which is often also used as a baby cam: 643 vulnerabilities
- Streaming device for children advertised with »the greatest data security«: 1,551 vulnerabilities
The demand of the experts, especially addressed to the manufacturers of IoT devices, is therefore clear: The security of devices must definitely be considered from the outset and implemented consistently.
Tips for the safe handling of electronic devices
In principle, caution should be exercised with IoT devices and a separate network segment should be set up for them. In addition, buyers of technical devices should take the following tips to heart:
- Check to see if the manufacturer has a website. Many manufacturers who sell their products on popular online marketplaces are ominous vendors without an Internet presence or a way to contact them.
- Check if the manufacturer provides regular firmware updates (preferably automatically).
- Immediately change the password if the device comes with a default password.
- Find out how much personal information and data you provide to a device. What does the device need this data for and where is it stored (only locally or also in the cloud)? Many devices work with face, voice and fingerprint recognition or take pictures and videos of home, family, children. Question whether a device really needs all this information.
- Be aware of the attack surface. For example, the range (and therefore attack surface) of Bluetooth connections is five to ten meters, while a WiFi connection can be up to a hundred meters. A device that is controlled online via an app can potentially be attacked from anywhere in the world.
