Light Dark
October 27, 2015 By Douglas Bonderud 3 min read

The Internet of Things (IoT) comes with inherent risk. Potential abounds — after all, always-connected devices offer big benefits for companies. But with each new device comes another endpoint and another inroad for determined attackers. According to SecurityWeek, the latest set of vulnerabilities stem from power quality measurement tools.

ICS-CERT noted that the products are used across multiple continents, and while some of the flaws have been remedied with a firmware update, others aren’t effectively fixed. Can companies power through these IoT problems, or is it time to flip the switch?

Hot and Cold Vulnerabilities

In March 2015, security firm Applied Risk discovered flaws in six power analyzers produced by Janitza Electronics: the UMG 508, 509, 511, 512, 604 and 605. When contacted, the firm was initially “hostile” and unwilling to discuss the results of any security testing but eventually changed its tune. As work progressed, however, Janitza stopped returning emails but eventually released a firmware update. The hot-and-cold attitude isn’t uncommon; vendors don’t like security problems stripped bare, even if they’re just one of many to experience similar issues. Many come on board to help mitigate IoT concerns but may back off once they feel problems are effectively contained.

When it comes to Janitza products specifically, three key flaws were identified: CVE-2015-3968, CVE-2015-3971 and CVE-2015-3972. The first deals with an undocumented default password used to access both an FTP service and Web interface. If attackers discovered the password, they could log in and then upload or download arbitrary files. CVE-2015-3971, meanwhile, allowed cybercriminals to exploit a remote debug interface on TCP Port 1239 to read and write files in addition to executing JASIC code, which, according to Applied Risk, let attackers “adjust system parameters, manipulate measurement values and change the function of the device.”

The final vulnerability demonstrates a problem with the power analyzers’ UMG Web interface: It has no default password. And while users can manually set a short PIN, there are no lockout mechanisms that prevent attackers from trying multiple character combinations until they crack it through brute force.

Tests were conducted using firmware version r4051, build 244. Janitza has now released r4061, build 269, but Applied Risk still recommended these devices be used only from behind a firewall using proper network segregation.

Watch the on-demand webinar to learn more about securing the internet of things

Welcome to the Party

Janitza’s devices have plenty of company in the arena of security risk. High-profile hacks on cars and medical devices have been conducted multiple times. Recently, Pen Test Partners found that it was possible to hack a new smart kettle on the market. Once compromised, attackers could gain access to Wi-Fi network keys and, in turn, everything on the network. Worst case? They could reroute network traffic and lock out all users. As noted by Dark Reading, more tech-focused devices, such as a common Belkin wireless repeater, are also hampered by multiple vulnerabilities.

What’s more, the lag time between diagnosis and remediation is often substantial: For Belkin it took eight months, while Janitza took seven to address its power analyzer problems. Bottom line? There’s an underlying issue with the IoT. While companies are eager to be first in their market niche to deliver always-connected devices, most build out security for these devices as if no such connection exists. They’re operating from a familiar, albeit outdated, model that requires physical links to enable Internet connection. The always-on nature of IoT devices, however, means they represent a persistent attack surface and must therefore be secured in the same way as critical network infrastructure.

Right now, companies are taking a page from “Fight Club: Rule No. 1 is to never talk about any IoT issues. A better idea is to blow the doors off old practices. Companies are dealing with common pain points, and in this case, sharing is the fastest, easiest way to improve IoT security.

 |  |  |  | 
Douglas Bonderud
Freelance Writer

More from

May 7, 2024

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

May 6, 2024

Evolving red teaming for AI environments

2 min read - As AI becomes more ingrained in businesses and daily life, the importance of security grows more paramount. In fact, according to the IBM Institute for Business Value, 96% of executives say adopting generative AI (GenAI) makes a security breach likely in their organization in the next three years. Whether it’s a model performing unintended actions, generating misleading or harmful responses or revealing sensitive information, in the AI era security can no longer be an afterthought to innovation.AI red teaming is emerging…

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature