IoT Security News — Issues with Authentication and Open Ports
When it comes to the IoT, it is essential to incorporate security into the products during the design phase and anticipate the need to react to new threats. IoT security is an ever-evolving challenge. The news items below about IoT security breaches show that attackers and security experts continue to find new vulnerabilities, often in devices that have been in use for several years.
Industrial Robots Advance in Complexity, But Lag in Security
As industrial robots grow increasingly complex and networked, they present broader attack surfaces to remote malefactors. That was the conclusion reached by researchers from Trend Micro and Politecnico di Milano, Italy, who subjected standard industrial robots to a systematic series of attacks to show how far robots could be compromised.
The researchers found a host of security issues, including outdated software that sometimes relied on obsolete libraries, with weak authentication systems and fixed default passwords. They found that tens of thousands of industrial robots were located on public IP addresses, making them easily accessible to attackers who could create defects in manufactured products, steal data, damage the robots, or cause them to injure humans.
The researchers approached robot vendors with their findings, some of whom have begun working with them on solutions.
New Botnet Targets IoT-Connected Video Cameras
A new botnet, named Persirai (for Persian Mirai), was discovered recently as it went around the globe targeting vulnerable IoT-connected video cameras. By early May, it had infiltrated over 122,000 cameras sold to consumers under more than 1,000 model names. Once a camera is part of the botnet, it can be instructed to attack other cameras and execute DDoS attacks.
Because of inherent flaws in their security, the cameras can be used to open a port on their routers. Each camera then acts as a server and downloads malware from a host site. Once the malware is installed, it deletes itself and runs only in memory so it cannot be detected. It also alters the device so other malware cannot enter the camera.
What makes this hack particularly virulent is that it exploits a zero-day vulnerability in the cameras and enables attackers to obtain the device’s password file. The attackers can then issue commands to the camera regardless of password strength.
Authentication Loophole in Backdoor to IoT-Connected Device
Several GoIP devices made by DBL Technology contain a backdoor that can be used remotely to gain root access to the device. According to researchers who reported on the vulnerability in March, the backdoor lies in the device’s Telnet administrative interface. It relies on a proprietary authentication challenge-and-response procedure that doesn’t use a password but simply requires the administrator to know the challenge itself and the computation of the response.
The researchers said that when they advised DBL Technology of this security loophole, the company did not change the backdoor’s authentication protocol – it only made the response computation more complex.
Backdoors by themselves are not a security hazard, but weak authentication is. As the examples above show, building robust authentication systems continues to be a challenge for makers of IoT devices. SecureRF specializes in providing authentication protocols for the small, low-resource devices that make up most of the IoT. Find out more about how our cryptographic methods can help you secure your products on the IoT by contacting us for a no-obligation consultation and evaluation kit.