The Internet of things (IoT) has revolutionized the business world. It has helped to streamline industrial processes, reduce costs, and has even created new business models. But, as is often the case, all of these advantages go hand in hand with a series of disadvantages. The most important of these disadvantages is the significant increase in the attack surface.
One of the first examples of the kind of cyberattack that can affect IoT devices was Mirai. In 2016, this botnet managed to bring down large swaths of the Internet in the USA by carrying out a DDoS attack using IoT devices, including security cameras and smart TVs. It is estimated that this attack involved up to 150,000 infected endpoints.
OpenDreamBox: a vulnerable plugin
In August, cybersecurity researchers announced that OpenDreamBox, which provides software for digital TVs and security cameras among other IoT devices, contains a serious vulnerability in its WebAdmin plugin. The vulnerability, categorized as CVE-2017-14135, has a severity rating of 10—the highest possible.
This is a remote code execution vulnerability, which means that it allows cyberattackers to remotely execute commands, take over devices, or install malicious software. This bug was the eighth most exploited vulnerability in June. What’s more, because of the popularity of IoT devices, this vulnerability affects 32% of companies worldwide.
The vulnerability is relatively easy to detect with Shodan, the search engine for Internet connected devices. As Alfie Njeru explains on his blog, a search on Shodan will reveal whether an application contains the vulnerable WebAdmin plugin.
The IoT’s cybersecurity problems
There are currently more than 23 billion IoT devices in the world, a figure that will rise to 60 billion by 2025—a significant attack surface. This is more worrying still if we consider that, a lot of the time, security isn’t a priority for the developers of these devices; in many cases, the priority is to get the product on the market as soon as possible instead of spending a long time developing security measures.
Another problem are updates. As we have seen here, a vulnerability that hasn’t been fixed can cause serious security problems. However, for many IoT devices, the process of installing updates is not automatic, and the manufacturer sometimes does not provide any updates at all. With the appearance or discovery of dangerous vulnerabilities, a lack of automatic updates imperils the security of the organization that uses the device.
Is it possible to protect against this vulnerability?
As is the case with all vulnerabilities, with OpenDreamBox, the most important thing is to keep all applications up-to-date, and to apply relevant patches. Organizations often have trouble prioritizing and applying relevant patches. This is why a patch management solution is so important. Panda Patch Management audits, monitors, and prioritizes updates for operating systems and applications, all from a single panel. What’s more, it is also able to contain and mitigate attacks that exploit vulnerabilities, applying a constant critical update policy to detect any possible threat, even before it becomes dangerous.
Another vital measure of any cybersecurity policy are robust, secure passwords. One of the most common dangers for IoT devices is the use of default passwords. These passwords facilitate cyberattacks, since they are often shared among many devices and are easy to obtain. All of this means that a password can give a cyberattacker access to your company’s IT systems and thus take over many devices.
This year, an average of almost 40 new vulnerabilities have been discovered every day. To get ahead of these flaws, which can seriously endanger your company, it is vital to take cybersecurity measures.