Popular consumer and enterprise routers, IoT devices contain remote access vulnerabilities | ZDNet
A new study reveals vulnerability rates are not decreasing in our connected devices — far from it.
Despite the increased attention to security claimed by device manufacturers, these #IoT devices do not have sufficient security controls to prevent remote exploitation.
In the current iteration of our research, SOHOpelessly Broken 2.0, we assessed the security of 13 SOHO router and NAS devices and found vulnerabilities resulting in 125 CVEs. We focused on these types of devices because of their security implications to networks and because we wanted to see what improvements, if any, had been made to the security performance of these devices since our prior research efforts.
In 2013, we evaluated the security of IoT devices focusing on routers and NAS devices in the small office/home office market. This research was titled SOHOpelessly Broken and demonstrated how extraneous functionality could be leveraged to compromise IoT devices remotely. SOHOpelessly Broken resulted in 52 CVEs issued for newly discovered vulnerabilities.
Embedded devices are special-purpose computing systems. These types of systems include industrial controllers, small office/home office (SOHO) routers, network-attached storage devices (NAS), and IP cameras. Internet-connected embedded devices are often placed into a broader category referred to as IoT devices.
Internet of Things (IoT) devices have always been vulnerable to a variety of security issues. In 2013, Independent Security Evaluators (ISE) performed research on IoT devices that showed how rich feature sets could be leveraged to compromise devices. Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries. This research project aimed to uncover and leverage new techniques to circumvent these new security controls in embedded devices.