Light Dark
October 27, 2015 By Douglas Bonderud 3 min read

The Internet of Things (IoT) comes with inherent risk. Potential abounds — after all, always-connected devices offer big benefits for companies. But with each new device comes another endpoint and another inroad for determined attackers. According to SecurityWeek, the latest set of vulnerabilities stem from power quality measurement tools.

ICS-CERT noted that the products are used across multiple continents, and while some of the flaws have been remedied with a firmware update, others aren’t effectively fixed. Can companies power through these IoT problems, or is it time to flip the switch?

Hot and Cold Vulnerabilities

In March 2015, security firm Applied Risk discovered flaws in six power analyzers produced by Janitza Electronics: the UMG 508, 509, 511, 512, 604 and 605. When contacted, the firm was initially “hostile” and unwilling to discuss the results of any security testing but eventually changed its tune. As work progressed, however, Janitza stopped returning emails but eventually released a firmware update. The hot-and-cold attitude isn’t uncommon; vendors don’t like security problems stripped bare, even if they’re just one of many to experience similar issues. Many come on board to help mitigate IoT concerns but may back off once they feel problems are effectively contained.

When it comes to Janitza products specifically, three key flaws were identified: CVE-2015-3968, CVE-2015-3971 and CVE-2015-3972. The first deals with an undocumented default password used to access both an FTP service and Web interface. If attackers discovered the password, they could log in and then upload or download arbitrary files. CVE-2015-3971, meanwhile, allowed cybercriminals to exploit a remote debug interface on TCP Port 1239 to read and write files in addition to executing JASIC code, which, according to Applied Risk, let attackers “adjust system parameters, manipulate measurement values and change the function of the device.”

The final vulnerability demonstrates a problem with the power analyzers’ UMG Web interface: It has no default password. And while users can manually set a short PIN, there are no lockout mechanisms that prevent attackers from trying multiple character combinations until they crack it through brute force.

Tests were conducted using firmware version r4051, build 244. Janitza has now released r4061, build 269, but Applied Risk still recommended these devices be used only from behind a firewall using proper network segregation.

Watch the on-demand webinar to learn more about securing the internet of things

Welcome to the Party

Janitza’s devices have plenty of company in the arena of security risk. High-profile hacks on cars and medical devices have been conducted multiple times. Recently, Pen Test Partners found that it was possible to hack a new smart kettle on the market. Once compromised, attackers could gain access to Wi-Fi network keys and, in turn, everything on the network. Worst case? They could reroute network traffic and lock out all users. As noted by Dark Reading, more tech-focused devices, such as a common Belkin wireless repeater, are also hampered by multiple vulnerabilities.

What’s more, the lag time between diagnosis and remediation is often substantial: For Belkin it took eight months, while Janitza took seven to address its power analyzer problems. Bottom line? There’s an underlying issue with the IoT. While companies are eager to be first in their market niche to deliver always-connected devices, most build out security for these devices as if no such connection exists. They’re operating from a familiar, albeit outdated, model that requires physical links to enable Internet connection. The always-on nature of IoT devices, however, means they represent a persistent attack surface and must therefore be secured in the same way as critical network infrastructure.

Right now, companies are taking a page from “Fight Club: Rule No. 1 is to never talk about any IoT issues. A better idea is to blow the doors off old practices. Companies are dealing with common pain points, and in this case, sharing is the fastest, easiest way to improve IoT security.

 |  |  |  | 
Douglas Bonderud
Freelance Writer

More from

April 25, 2024

NIST’s role in the global tech race against AI

4 min read - Last year, the United States Secretary of Commerce announced that the National Institute of Standards and Technology (NIST) has been put in charge of launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology.However, recent budget cuts at NIST, along with a lack of strategy implementation, have called into question the agency’s ability to lead this critical effort. Ultimately, the success…

April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature