1. Classification of IoT vulnerabilities
2. Reasons for the loopholes
1 Insecure Web Interface
Under normal circumstances, attackers will first look for XSS, CSRF and SQLi vulnerabilities in the web interface of smart devices. In addition, vulnerabilities such as "default username and password" and "lack of account lock mechanism" often appear in these interfaces.
Device type device name CWE security impact
Heatmiser thermostat CWE-598: information leaked through the query string in the GET request, the attacker can access all the settings of the device, and then freely change various settings, such as time or temperature, according to the attacker’s wishes .
Industrial wireless access point Moxa AP CWE-79: Input is not strictly filtered during web page generation (cross-site scripting vulnerability). An attacker can obtain an authenticated session, and the session will never expire.
AXIS Camera CWE-20: Improper input verification. Attackers can edit any file in the operating system with root privileges.
Belkin smart home product CWE-79: Input is not strictly filtered during web page generation (cross-site scripting vulnerability) & CWE-89: Special elements in SQL commands are not strictly filtered (SQL injection vulnerability) Attackers can hijack mobile phones, And steal sensitive personal data.
Router D-Link DIR-300 CWE-352: Cross-site request forgery (CSRF) Attackers can modify the administrator password and gain root privileges.
AVTECH webcams, NVRs, DVRs CWE-352: Cross-site request forgery (CSRF) Attackers can modify all device settings, such as user passwords, through CSRF.
AGFEO Smart Home ES 5xx/6xx CWE-79: The input is not strictly filtered during web page generation (cross-site scripting vulnerability). Attackers can read all files stored in the operating system. In addition, the attacker can also modify the configuration of the device and upload any updates.
Loxone Smart Home CWE-79: The input is not strictly filtered during the web page generation process (cross-site scripting vulnerability). Attackers can control all the functions of the device through web-based commands.
Switch TP-Link TL-SG108E CWE-79: The input is not strictly filtered during web page generation (cross-site scripting vulnerability). Attackers can implant stored XSS code on the device, allowing the administrator to execute arbitrary commands in the browser JavaScript code.
Hanbanggaoke webcam CWE-650: Trust the HTTP permission method on the server side. Attackers can modify the administrator password and gain root permissions.
Router Netgear CWE-601: URL redirection to untrusted sites (Open Redirect vulnerability) Anyone on the Internet can use Cockup to control the router, modify its DNS settings, and redirect the browser to malicious sites.
2 Authentication/Authorization Vulnerabilities
Generally, if this type of vulnerability exists, it means that an attacker can control smart devices through weak user passwords, defects in password recovery mechanisms, and lack of two-factor authentication mechanisms.
Device Type Device Name CWE Security Affects
DV Camera Mvpower CWE-521: Weak Password and CWE-284: Improper Access Control Almost anyone can access the DVR settings because the login name and password are empty.
DBPOWER U818A WIFI four-axis drone CWE-276: Inappropriate default permissions attackers can read files from the device, such as image and video files.
iSmartAlarm CWE-287: Improper identity verification attackers can send commands to the alarm device to control the on/off status of the alarm device and activate the alarm function of the alarm device.
DblTek GoIP CWE-598: Leaking information through the query string in the GET request. An attacker can modify its configuration by sending commands to GoIP, such as turning off GoIP.
Nuuo NVR (Network Camera) and Netgear CWE-259: Using a hard-coded password, an attacker can gain root privileges and use the device to modify the relevant settings of an external camera to monitor users.
Sony IPELA Engine webcam CWE-287: Inappropriate authentication, an attacker can send manipulated images/videos through the camera, allowing the camera to join a botnet like Mirai or just to monitor users.
Western Digital My Cloud CWE-287: Inappropriate authentication, an attacker can take complete control of the device.
LG Vacuum Cleaner CWE-287: Inappropriate authentication, an attacker can remotely activate and access real-time video information of the vacuum cleaner.
Eminent EM6220 Camera CWE-312: Store sensitive information in plaintext. Attackers can obtain the root privileges of the camera and monitor the camera user.
LIXIL Satis toilet CWE-259: Using a hard-coded password, an attacker may cause the device to suddenly open/close the toilet lid, activate the bidet or air-dry function, cause discomfort to the user or endanger personal safety.
In-flight entertainment system CWE-287: Inappropriate identity verification attackers can control the way in which notifications are sent to passengers, such as sending false flight data such as altitude or speed.
Fuel drilling machine CWE-259: Using a hard-coded password, an attacker can gain root access and modify the settings of the drilling machine.
3 Insecure network services
The main problems here are "unnecessary ports are opened", "ports exposed to the Internet through UPnP" and "network services vulnerable to DoS attacks". In addition, telnet that is not disabled may also be used as an attack vector.
Device Type Device Name CWE Security Affects
Smart Massager CWE-284: Improper access control can cause an attacker to change the parameters of the massager, which can cause quite painful experience and even cause physical injury, such as sudden muscle conditioning, skin burns, and even Nerve damage or death.
Implantable Cardiac Device CWE-284: Improper access control. Attackers can modify the programming commands of the implanted device, resulting in battery drain and/or improper pacing or electric shock.
Hikvision Wi-Fi webcam CWE-284: Improper access control attackers can remotely use or disable the camera.
Foscam C1 Indoor HD Camera CWE-120: The input size is not checked during the buffer copy process (classic buffer overflow vulnerability). Execute remote code on the camera. This vulnerability may lead to the disclosure of user personal data.
Toy Furby CWE-284: Improper access control. Attackers can modify the firmware and use Furby to monitor children.
Toy My Friend Cayla CWE-284: Improper access control attackers can collect user information and implement monitoring.
iSmartAlarm CWE-20: An attacker with improper input verification can freeze SmartAlarm to stop responding.
iSPY Camera Tank CWE-284: Improper access control. Attackers can log in to the device as an anonymous user and can access the entire file system.
4 Lack of transmission encryption/integrity verification
The problems here mainly focus on the transmission of sensitive information in clear text, the unavailability or improper configuration of SSL/TLS, or the use of proprietary encryption protocols. Devices containing such vulnerabilities are vulnerable to man-in-the-middle attacks.
Device Type Device Name CWE Security Impact
Owlet Wi-Fi Baby Heart Monitor CWE-201: Attackers can monitor babies and their parents by sending data leakage information.
Samsung Refrigerator CWE-300: Access to communication channels through non-endpoints (man-in-the-middle attack vulnerability). Attackers can steal the user's Google credentials.
Volkswagen CWE CATEGORY: Encryption issues. Attackers can clone the remote control and gain unauthorized access to the car.
HS-110 Smart Socket CWE-201: By sending data leakage information, the attacker can control the state of the plug, such as turning off its LED.
Loxone Smart Home CWE-201: By sending data leakage information, an attacker can control every device in the smart home system and steal the user's credentials.
Samsung Smart TV CWE-200: Information disclosure attackers can monitor wireless networks and brute force them to recover keys and decrypt communication traffic.
Router Dlink 850L CWE-319: Sensitive information transmitted in plain text can be remotely controlled by an attacker.
Skaterboards Boosted, Revo, E-Go CWE-300: Access communication channels through non-endpoints (man-in-the-middle attack vulnerability). Attackers can send various commands to the device to direct it.
LIFX Smart LED Bulb CWE-327: Attackers can capture and decrypt traffic using crackable or dangerous encryption algorithms, including network configuration.
DJI Spark drone CWE-327: Attackers using crackable or dangerous encryption algorithms can access the device's settings.
5 Privacy Leakage
OWASP defines the vulnerability as "too much personal information collected", "the collected information is not properly protected", and "the end user has no right to decide what kind of data is allowed to be collected".
Device type device name CWE security impact
Gator 2 smartwatch CWE-359: disclosure of privacy information (invasion of privacy) Attackers can access information including software version, IMEI, time, positioning method (GPS and Wi-Fi), location coordinates, battery power, etc. .
Router D-Link DIR-600 and DIR-300 CWE-200: Information leakage attackers can read the sensitive information of the device or make it part of a botnet.
Samsung Smart TV CWE-200: Information disclosure attackers can find binary files for recording.
Home security camera CWE-359: Leaking private information (invasion of privacy) The private photos of users may be stolen by attackers and published on the Internet.
Smart adult toy We-Vibe CWE-359: Leaking private information (invasion of privacy) Attackers can obtain information such as device temperature and vibration intensity.
iBaby M6 baby monitor CWE-359: Leaking private information (invasion of privacy) Attackers can view user information, including video recordings, etc.
6 Insecure cloud interface
Generally, this type of vulnerability means that as long as an attacker has access to the Internet, he can obtain private data. On the one hand, the encryption strength of the encryption algorithm used to protect private data stored in the cloud is usually weak; on the other hand, even if the encryption algorithm has sufficient encryption strength, there may still be a lack of two-factor authentication or allow users to use weak Security vulnerabilities such as passwords.
Device Type Device Name CWE Security Impact
Seagate Personal Cloud Home Media Storage CWE-598: Leaking information through the query string in the GET request. Attackers can inject arbitrary system commands and steal users' private data.
iCloud CWE-307: Improper limit on the number of authentication attempts. Attackers can access users' private photos stored in the cloud.
Vtech gadgets CWE-359: Disclosure of private information (invasion of privacy) Attackers can access user information and execute blackmail.
Western Digital My Cloud CWE-287: Inappropriate authentication, an attacker can take complete control of the device.
Router Dlink 850L CWE-319: The attacker can gain complete control of the device with sensitive information transmitted in plain text.
7 Insecure mobile device interface
The main problems here are "weak passwords", "lack of two-factor authentication" and "no account lockout mechanism". This type of vulnerability is common in IoT devices managed by smartphones.
Device Type Device Name CWE Security Impact
Amazon Smart Lock CWE-284: Improper access control can be opened by an attacker.
Smart adult toy Vibratissimo CWE-359: Disclosure of private information (invasion of privacy) & CWE-287: Inappropriate authentication, attackers can access the user’s personal data, including clear images, chat history, sexual orientation, email address and clear text password
Smart webcam CWE-312: Store sensitive information in plaintext. Attackers can use the application like users do—for example, turn on audio, microphone and speakers to communicate with children, or wantonly access real-time video recordings in children’s bedrooms.
Smart socket CWE-319: Sensitive information transmitted in clear text. Attackers can uninstall the installed software and install malicious software in the original software location.
Sports bracelet (Fitbit, Apple, Xiaomi, Garmin, Samsung, etc.) CWE-319: The attacker can monitor the user of the sports bracelet with sensitive information transmitted in clear text.
Wink and Insteon smart home system CWE-613: Improper session expiration time. Attackers can steal the user's certificate and use the connected device to operate.
Segway Ninebot CWE-359: Disclosure of private information (invasion of privacy) Attackers can access the user's geographic location.
8 Insufficient security configurability
The essence of this vulnerability is that the user cannot manage or apply the security mechanism, resulting in the security mechanism being unable to fully exert its effect on the device. Sometimes, users simply don't know the existence of these mechanisms, so configuring security settings for the device becomes nonsense.
Device Type Device Name CWE Security Affects
ADSL Device ZTE ZXDSL CWE-15: Allows external personnel to control the system or perform related configurations. Attackers can reset the configuration of the device.
Plush toy CWE-521: The storage mechanism of the recordings of children with weak passwords and their parents is not secure enough, which makes them easily searchable on the Internet.
Canon Printer CWE-269: Improper Rights Management & CWE-295: Improper Certificate Verification Attackers can access improperly protected devices and update their firmware.
Parrot AR.Drone 2.0 CWE-285: An improperly authorized attacker can control the drone wirelessly through a mobile application.
Smart Nest Thermostat CWE-269: Unauthorized attackers with improper rights management can access the Nest account.
9 Insecure firmware.
Attackers can install arbitrary firmware (regardless of whether it is official or custom firmware) because the system has not been checked for integrity or authenticity. In addition, an attacker can completely take over the device through wireless communication.
Device Type Device Name CWE Security Impact
Router D-Link DIR8xx CWE-295: Improper certificate verification, an attacker can update the router's firmware to make the device part of a botnet.
GeoVision’s device CWE-295: Certificate verification allows an attacker to update the firmware and completely take over the device.
Ikettle smart coffee machine CWE-15: Allows external personnel to control the system or make related configurations. Attackers can fully control the device, for example, open the device and make it work for a long time, which may cause a fire.
Billion router 7700NR4 CWE-798: Using a hard-coded certificate, an attacker can completely control the device.
iSmartAlarm CWE-295: An attacker with improper certificate verification can obtain the user's password or personal data.
Router Dlink 850L CWE-798: Using a hard-coded certificate, an attacker can completely control the device.
10 Vulnerable to physical attacks
As long as the smart device is disassembled, the attacker can find its MCU, external memory, etc. In addition, through JTAG or other connectors (UART, I2C, SPI), attackers can also perform corresponding read and write operations on firmware or external memory.
Device Type Device Name CWE Security Affects
D-Link Related Devices CWE-284: Improper Access Control Attackers can access the user's private information, such as photos.
Baby monitor Mi-Cam CWE-284: Improper access control attackers can monitor users.
TOTOLINK router CWE-20: Improper input verification, an attacker can implant a backdoor in the device.
Router TP-Link CWE-284: Improper access control. Attackers can gain root privileges and turn the device into a part of the botnet.
Smart Nest Thermostat CWE-284: Improper access control. Attackers can start the processor from a peripheral (such as USB or UART).
Reference
1.
CWE CWE (Common Weakness Enumeration, common defect enumeration). It is a software security strategic project funded by the National Computer Security Department of the US Department of Homeland Security. CWE was established in 2006. At the beginning of its establishment, it borrowed from CVE ("Common Vulnerabilities & Exposures" public vulnerabilities and exposures), CLASP (Comprehensive Lightweight Application Security Process, comprehensive lightweight application security process) and other organizations to describe the defect concept and Defect classification. With the development of CWE organization, more research institutions, enterprises and individuals will share their own research results on software source code defects with CWE. In view of the accuracy and authority of CWE's description of source code defects, more and more source code defect detection manufacturers are quoting relevant information in CWE in their products and services. The "CWE Compatibility Plan" launched by the CWE organization measures the product or service's support for CWE defect research in terms of product output, known defect detection capabilities, test result output, and CWE information available.
2. OWASP Internet of Things (IoT) Project The
OWASP Internet of Things project aims to help manufacturers, developers and consumers better understand the security issues related to the Internet of Things , and enable users in any environment to build, deploy or evaluate IoT technology can make better security decisions.