October 27, 2015 By Douglas Bonderud 3 min read

The Internet of Things (IoT) comes with inherent risk. Potential abounds — after all, always-connected devices offer big benefits for companies. But with each new device comes another endpoint and another inroad for determined attackers. According to SecurityWeek, the latest set of vulnerabilities stem from power quality measurement tools.

ICS-CERT noted that the products are used across multiple continents, and while some of the flaws have been remedied with a firmware update, others aren’t effectively fixed. Can companies power through these IoT problems, or is it time to flip the switch?

Hot and Cold Vulnerabilities

In March 2015, security firm Applied Risk discovered flaws in six power analyzers produced by Janitza Electronics: the UMG 508, 509, 511, 512, 604 and 605. When contacted, the firm was initially “hostile” and unwilling to discuss the results of any security testing but eventually changed its tune. As work progressed, however, Janitza stopped returning emails but eventually released a firmware update. The hot-and-cold attitude isn’t uncommon; vendors don’t like security problems stripped bare, even if they’re just one of many to experience similar issues. Many come on board to help mitigate IoT concerns but may back off once they feel problems are effectively contained.

When it comes to Janitza products specifically, three key flaws were identified: CVE-2015-3968, CVE-2015-3971 and CVE-2015-3972. The first deals with an undocumented default password used to access both an FTP service and Web interface. If attackers discovered the password, they could log in and then upload or download arbitrary files. CVE-2015-3971, meanwhile, allowed cybercriminals to exploit a remote debug interface on TCP Port 1239 to read and write files in addition to executing JASIC code, which, according to Applied Risk, let attackers “adjust system parameters, manipulate measurement values and change the function of the device.”

The final vulnerability demonstrates a problem with the power analyzers’ UMG Web interface: It has no default password. And while users can manually set a short PIN, there are no lockout mechanisms that prevent attackers from trying multiple character combinations until they crack it through brute force.

Tests were conducted using firmware version r4051, build 244. Janitza has now released r4061, build 269, but Applied Risk still recommended these devices be used only from behind a firewall using proper network segregation.

Watch the on-demand webinar to learn more about securing the internet of things

Welcome to the Party

Janitza’s devices have plenty of company in the arena of security risk. High-profile hacks on cars and medical devices have been conducted multiple times. Recently, Pen Test Partners found that it was possible to hack a new smart kettle on the market. Once compromised, attackers could gain access to Wi-Fi network keys and, in turn, everything on the network. Worst case? They could reroute network traffic and lock out all users. As noted by Dark Reading, more tech-focused devices, such as a common Belkin wireless repeater, are also hampered by multiple vulnerabilities.

What’s more, the lag time between diagnosis and remediation is often substantial: For Belkin it took eight months, while Janitza took seven to address its power analyzer problems. Bottom line? There’s an underlying issue with the IoT. While companies are eager to be first in their market niche to deliver always-connected devices, most build out security for these devices as if no such connection exists. They’re operating from a familiar, albeit outdated, model that requires physical links to enable Internet connection. The always-on nature of IoT devices, however, means they represent a persistent attack surface and must therefore be secured in the same way as critical network infrastructure.

Right now, companies are taking a page from “Fight Club: Rule No. 1 is to never talk about any IoT issues. A better idea is to blow the doors off old practices. Companies are dealing with common pain points, and in this case, sharing is the fastest, easiest way to improve IoT security.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today