The Internet of Things (IoT) comes with inherent risk. Potential abounds — after all, always-connected devices offer big benefits for companies. But with each new device comes another endpoint and another inroad for determined attackers. According to SecurityWeek, the latest set of vulnerabilities stem from power quality measurement tools.

ICS-CERT noted that the products are used across multiple continents, and while some of the flaws have been remedied with a firmware update, others aren’t effectively fixed. Can companies power through these IoT problems, or is it time to flip the switch?

Hot and Cold Vulnerabilities

In March 2015, security firm Applied Risk discovered flaws in six power analyzers produced by Janitza Electronics: the UMG 508, 509, 511, 512, 604 and 605. When contacted, the firm was initially “hostile” and unwilling to discuss the results of any security testing but eventually changed its tune. As work progressed, however, Janitza stopped returning emails but eventually released a firmware update. The hot-and-cold attitude isn’t uncommon; vendors don’t like security problems stripped bare, even if they’re just one of many to experience similar issues. Many come on board to help mitigate IoT concerns but may back off once they feel problems are effectively contained.

When it comes to Janitza products specifically, three key flaws were identified: CVE-2015-3968, CVE-2015-3971 and CVE-2015-3972. The first deals with an undocumented default password used to access both an FTP service and Web interface. If attackers discovered the password, they could log in and then upload or download arbitrary files. CVE-2015-3971, meanwhile, allowed cybercriminals to exploit a remote debug interface on TCP Port 1239 to read and write files in addition to executing JASIC code, which, according to Applied Risk, let attackers “adjust system parameters, manipulate measurement values and change the function of the device.”

The final vulnerability demonstrates a problem with the power analyzers’ UMG Web interface: It has no default password. And while users can manually set a short PIN, there are no lockout mechanisms that prevent attackers from trying multiple character combinations until they crack it through brute force.

Tests were conducted using firmware version r4051, build 244. Janitza has now released r4061, build 269, but Applied Risk still recommended these devices be used only from behind a firewall using proper network segregation.

Watch the on-demand webinar to learn more about securing the internet of things

Welcome to the Party

Janitza’s devices have plenty of company in the arena of security risk. High-profile hacks on cars and medical devices have been conducted multiple times. Recently, Pen Test Partners found that it was possible to hack a new smart kettle on the market. Once compromised, attackers could gain access to Wi-Fi network keys and, in turn, everything on the network. Worst case? They could reroute network traffic and lock out all users. As noted by Dark Reading, more tech-focused devices, such as a common Belkin wireless repeater, are also hampered by multiple vulnerabilities.

What’s more, the lag time between diagnosis and remediation is often substantial: For Belkin it took eight months, while Janitza took seven to address its power analyzer problems. Bottom line? There’s an underlying issue with the IoT. While companies are eager to be first in their market niche to deliver always-connected devices, most build out security for these devices as if no such connection exists. They’re operating from a familiar, albeit outdated, model that requires physical links to enable Internet connection. The always-on nature of IoT devices, however, means they represent a persistent attack surface and must therefore be secured in the same way as critical network infrastructure.

Right now, companies are taking a page from “Fight Club: Rule No. 1 is to never talk about any IoT issues. A better idea is to blow the doors off old practices. Companies are dealing with common pain points, and in this case, sharing is the fastest, easiest way to improve IoT security.

More from

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…