As the Internet-connected devices become smarter and efficient, the potential attack surface for cyberattackers increases. A group of researchers has uncovered that the number of vulnerabilities has increased by two times as compared to five years earlier.
What does the finding say?
In 2013, research firm Independent Security Evaluators (ISE) had published a study about the vulnerabilities across 13 SOHO wireless routers and NAS devices. The study ‘SOHOplessly Broken 1.0 had revealed that these devices offered by vendors like Belkin, TP-Link, Asus, and Linksys were affected by a total of 52 vulnerabilities.
However, in a follow-up study, the ISE has examined that the same number of devices are now affected by a total of 125 vulnerabilities.
“We focused on these types of devices because of their security implications to networks and because we wanted to see what improvements, if any, had been made to the security performance of these devices since our prior research efforts,” highlighted the researchers in a blog post.
“Despite the increased attention to security claimed by device manufacturers, these IoT devices do not have sufficient security controls to prevent remote exploitation,” researchers added.
What are the vulnerabilities?
All 13 of the devices were evaluated to have at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi). These vulnerabilities could be leveraged by an attacker to get remote access to the device’s shell or gain access to the device’s administrative panel.
"Our results show that businesses and homes are still vulnerable to exploits that can result in significant damage. These issues are completely unacceptable in any current web application. Today, security professionals and developers have the tools to detect and fix most of these types of issues that we found, exploited, and disclosed six years ago. Our research shows that they are still regularly found in IoT devices,” said ISE researcher Rick Ramgattie, ZDNet reported.
What are the affected devices?
The devices included for the study in ‘SOHOplessly Broken 2.0’ were:
The research team has responsibly disclosed all of the vulnerabilities to the device manufacturers. Most vendors have acknowledged the issue and are working on addressing the vulnerabilities.