internet of things research study - enterpricegrc · internet of things – research study...

Suvir Singh, [email protected]

Siddharth Walia, [email protected] UNIVERSITY AT BUFFALO | MS – MANAGEMENT INFORMATION SYSTEMS

INTERNET of THINGS RESEARCH STUDY SECURITY AND VULNERABILITY ASSESSMENT

mailto:[email protected]

mailto:[email protected]

Internet of Things – Research Study

©2016-2017 UNIVERSITY AT BUFFALO 1

CONTENTS

S NO DESCRIPTION PAGE NUMBER

1 BACKGROUND 2

2 INTRODUCTION 3

3 DEFINITION 3

4 ENABLERS 4-5

5 VERTICALS 6-7

6 PROBLEM IN HAND 7-8

7 OWASP IOT TOP 10 VULNERABILITIES 9

8 BLUE PRINT OF RESEARCH 10

9 RESEARCH STRATEGY 11-12

10 ASSUMPTIONS AND LIMITATIONS 12

11 DATA COLLECTION AND ANALYSIS 12-15

12 RESULTS FROM THE RESEARCH 15-19

13 RECOMMENDED FUTURE WORK 20

14 REFERENCES 21-22

15 APPENDIX A 23-47

16 APPENDIX B 48-52



BACKGROUND

Year after year we see a new buzzword and new promises that this new word lays down to the businesses

and the society around us. Few years back it was Cloud Computing then we had Big Data, 3D Printing,

Virtual Reality (VR) and now we are hearing a lot about Internet of Things (IoT). One mistake that we just

cannot do is to act dumb and play safe as the technology advances. The disruptions are creating a lot of

sound and effect in the modern era. As shown in Figure1, Gartner has placed Internet of Things right at

the peak of the curve in the stage of peak of Inflated Expectations.

With more than a billion connected devices and machines in use today and the opportunity for IoT-

enabled transformation has been progressively increasing in the last couple of years. Not only the existing

organizations but new startups have been emerged who are seeing measurable benefits from the Internet

of Things. Local governments are making budgets to go further with LED smart street lighting that doesn’t

need regular maintenance, but can automatically report when it needs to be repaired. Transportation

companies are saving millions of dollars by reducing fuel consumption using data captured, transmitted,

and analyzed in near real-time. These are just a few examples of the myriad ways in which IoT is

penetrating the businesses and affect can be realized directly by the consumer. i

Figure1: Gartner hype cycle for emerging technologies ii



INTRODUCTION

According to Gartner, the IoT will grow to 26 billion units installed in 2020 representing an almost 30-fold

increase from 0.9 billion in 2009.12. As shown in figure2, Cisco believes the number of connected devices

will reach 50 billion mark by 2020. International Data Corporation (IDC) estimates that the worldwide IoT

market will grow from $655.8 billion in 2014 to $1.7 trillion in 2020. International Data Corporation (IDC)

estimates that the worldwide IoT market will grow from $655.8 billion in 2014 to $1.7 trillion in 2020.

Devices, connectivity, and IT services will likely make up two-thirds of the IoT market in 2020, with devices

(modules/ sensors) alone representing more than 30 percent of the total. Morgan Stanley, however,

projects 75 billion networked devices by 2020. McKinsey Global Institute suggests that the financial impact

of IoT on the global economy may be as much as $3.9 to $11.1 trillion by 2025. Looking out further and

raising the stakes higher, Huawei forecasts 100 billion IoT connections by 2025.iii iv

Figure2: Prediction of number of connected devices by 2020v

DEFINITION

The Internet of Things is the network of physical objects that contains embedded technologies to

communicate and sense or interact with their internal states or the external environment. - The Internet

of Things, Gartner. IoT is not new: Although IoT is a hot topic today, it’s not a new concept. The phrase

“Internet of Things” was coined by Kevin Ashton in 1999; the concept was relatively simple, but powerful.

According to the researcher, we had computers that knew everything there was to know about things —

using data they gathered without any help from us — we would be able to track and count everything,

and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or

recalling, and whether they were fresh or past their best. vi

“The Internet of Things has the potential to change the world, just as the Internet did. Maybe even more

so.” - Kevin Ashton.vii



Billions for people are connected to the internet today by connected devices, and this number is expected

to exceed 50 billion by the year 2020. Clearly the digital transformation of the physical world has the

potential to affect every single person and every business regardless of its type and size.

Futurists believe that in a very short span of time IoT will have sensing, analytics and visualization tools

which can be used by anyone and anywhere. This accessibility can be at a personal level, community,

society or at a national level. The flexibility to provide services to all sectors ranging from home

automations to connected cars, smart retails to smart cities, will help in building and enabling an

environment that will suits everyone. viii

When physical assets equipped with sensors give an information system the ability to capture,

communicate, and process data—and even, in a sense, to collaborate—they create game-changing

opportunities: production efficiency, distribution, and innovation all stand to benefit immensely. -

McKinsey Quarterly 2015ix

ENABLERS

While IoT is widely hailed as the next big thing, the key ingredients — network connectivity, cloud,

security, and infrastructure — have existed for a decade.

Figure3: Key enablers for Internet of Things (IoT)x

Figure 3 gives a holistic image of the enablers that has made IoT such a success in present. The five

enablers that stands out from the rest have been:

- Hardware is getting cheap. High power, low energy consuming devices are present

- M2M conversations are existing.

- Connectivity via WIFI, Bluetooth, LoWAN, Zigbee etc is getting widespread.

- Existing software is getting more advanced with advanced big data analytics solutions.



- The cost of scalability and storage is decreasing because of the technology advancements and

competition in cloud space.

The growth of smart devices in a self-optimizing sensing networks create the Internet of Things (IoT),

wherein sensors and actuators blend seamlessly with the environment around us, and the data is shared

across platforms in order to develop a common operating picture (COP). Fueled by the recent adaptation

of a variety of enabling wireless technologies such as RFID tags and embedded sensor and actuator nodes,

the IoT has stepped out of its infancy and is the next revolutionary technology in transforming the Internet

into a fully integrated Future Internet.

In the Internet of Things (IoT) paradigm, many of the physical objects that surround us will be on the

network and will be connected to the digital world in one form or another. Technologies like Radio

Frequency IDentification (RFID) and sensor networks will rise to meet this new challenge, in which

information and communication systems will be invisibly embedded in the environment around us. Virtual

infrastructure for on demand high performance computing, advanced analytics, mass storage, client

delivery and monitoring of integrated devices will be done by cloud computing. Advanced connectivity

solutions like WiFi, 4G- LTE, Bluetooth, 5G, LoWAN are ubiquitous and their presence in the current state

is bolstering IoT development and popularity.xi

Figure4 shows the enablers as the roots of the tree and the verticals and applications as the leaves of the

Internet of Things tree. Sensors, embedded processing and emerging connectivity solutions and advanced

softwares form the bases of the different business use-cases and the applications that we see today are

the product of these advancements in different technologies. These products can be categorized in

different IoT- verticals.

Figure4: Enabling technologies giving rise to new applications and businessesxii



DIFFERENT VERTICALS IN IOT

While these enablers make the whole concept and environment possible for IoT, it is the use-cases that

decides its success among the various other technologies. Needless to say, the economic potential of

connecting billions of devices is tremendous. This interconnected world can save life, water, energy,

money and can act as a measure of convenience.

Figure5: Vertical in IoTxiii

Figure5 highlights the vertical in IoT that have been used in this research - Connected Wearable Devices,

Connected Cars, Connected Homes, Connected Cities, Industrial Internet, Transportation, Oil and Gas,

Health Care. Each vertical offers its own business use-case and we are seeing a lot of movement in terms

of new business cases in each and every vertical. Soon we will have winners and losers in the businesses,

but the society will emerge as a clear winner regardless of the struggle. The main popular vertical as shown

in the image below can be categorized as:

Connected Homes: IoT enabled homes, act on a home owner’s behalf to provide a variety of lifestyle

experiences, save energy and costs and provide greater safety and security. Smart homes can also take

care of themselves through automatic predictive maintenance (Enabled by data from IoT sensors), helping

reduce costs and optimizing time.

Energy: IoT provides smart tools for the energy and utilities sectors, which enhances our visibility and

control energy usage, remote management of network equipment and distribution automation.

Retail: From real-time inventory management to customer engagement and personalized marketing, IoT

is helping create captivating brand experiences in the retail industry.



Healthcare: Connected healthcare systems mean that medical care can now be administered in numerous

ways – such as administering drug dosages through Infusion pumps, monitoring Patient data, diagnostics

using various smart devices.

Automotive: The age of the connected vehicles allows for a new driving experiences. IoT technologies are

driving vast amounts of data to be streamed across the cloud to provide intelligent in-car solutions, from

controlling self-driving cars, location tracking, vehicle maintenance alerts among other services.

Wearables: IoT has entrenched itself from badges to be used for Identification and Security, Location

tracking bracelets, Smart watches, Stress measurement devices to personal fitness tracking wristbands,

Internet of things is making inroads into our lives at multiple fronts.

Connected Cities: Internet of things is making our cities smarter by providing technologies that are

enabling environment sustainability, economic growth, job creation and social resilience. IoT has already

been used to provide smart energy management solutions, connected energy efficient public lighting,

Connected Information Platforms among other solutions to improve our cities.

Industries and organizations who have been an early adopter in these verticals have soon realized this

digital transformation and have started rolling out an array of products to find efficiencies and that save

money or reduce the demand for critical resources. For example, cars are becoming more connected with

each new model, safety, and diagnostics, driven by infotainment, navigation, and fleet management. In

wearable devices, new consumer categories are emerging in shoes, apparels, fitness bands, action

cameras, smart watches and smart glasses. Consumers in these verticals are able to see the internet

extended beyond desktops and mobile devices. xiv

PROBLEM IN HAND

Everything has not been red and rosy for Internet of Things. Privacy and security concerns have been

surrounding this new buzzword as well. As IoT applications gather large volumes of data and also collects

information about people’s behavior, industry is cautious in pressing the next gear. Companies need to

address these privacy concerns and be prepared for changes in data protection regulation. Consumers

and employees are increasingly concerned about how the data might be used, and the risk of criminals

stealing it during a breach. xv

As we read the different enablers for IoT, big researching companies predict that the success of IoT will

increasingly rely on cloud computing, and smart devices with sensors built in, along with thousands (if not

millions) of applications to support them. The problem is that the truly integrated environments needed

to support this connected technology do not exist, and ever evolving and popular cloud computing is in

need of serious improvements, especially in terms of security. xvi

IoT applications continuously demand data security improvements. According to the Privacy Rights

Clearinghouse, there have been 215 publicly disclosed security breaches in 2014 (as of this writing),

exposing over 8.5 million personal records. Devices in the Internet of Things (IoT) generate, process, and

exchange vast amounts of security and safety-critical data as well as privacy-sensitive information, and

hence are appealing targets of various attacks. Where data breaches has been continuously plaguing the



large organizations who oversee the data discover, security control and classification measure, IoT will

increase these breaches for several reasons. First, the operational data will be increased by a factor of ten

by the IoT devices, but the security controls and procedures may fail to scale at such a rapid pace. Second,

not only the threat will be from inside the system, but as the IoT devices will be consuming assorted data

from outside the network as well, this will open up new threat vectors. Finally, the need for dynamic

policy enforcement for the different type of security profiles based upon the trustworthiness of the device

will increase the complexities of the system. To amplify the problem in hand, the interconnected nature

of IoT devices means that every poorly secured device that is connected online will potentially affect the

security and resilience of the Internet globally, hence there are alarming bells all around IoT. xvii xviii xix

While we hear the cries of the industry for the security and privacy concerns from the industry, we were

quick to realize that the main reason for this was the lack of knowledge and prediction for the threat

vectors and new threat agents. In the leading IoT security reports from Verizon, EY and OWASP top ten

IoT Vulnerabilities, we read that the vulnerability assessments were based on a HPE fortify report which

conducted tests on 10 IoT tests in 2014 and predicted future vulnerabilities in this space.xx

The current security reports of 2016 still refer to the same HPE report and make predictions for

vulnerabilities in IoT devices for 2020. Clearly the industry has moved on, and new devices, new

businesses, new verticals have emerged creating unprecedented vulnerabilities, thereby demanding the

reports to realign with the current security state of IoT devices so as to create smarter and adaptable

security models for companies who are moving aggressively in this space. Our research shows that there

has been an increase of almost 20% vulnerabilities that have not been covered by OWASP.



A LITTLE INSIGHT ABOUT OWASP AND ITS TOP 10 INTERNET OF THINGS VULNERABILITIES

OWASP (Open Web Application Security Project): The Open Web Application Security Project is an open-

source project for application security. It also focuses on analyzing and identifying security vulnerabilities

in Internet of things. The OWASP Internet of Things Project is designed to help manufacturers, developers,

and consumers better understand the security issues associated with the Internet of Things, and to enable

users in any context to make better security decisions when building, deploying, or assessing IoT

technologies.

Figure6: OWASP top ten Internet of Things Vulnerabilitiesxxi



BLUEPRINT OF THE RESEARCH WORK

Figure7: Research blueprint



RESEARCH STRATEGY

We initiated discussions with the world class faculty here in University at Buffalo and also had

conversations with 50+ IoT SME (Subject Matter Experts) from the industry. Then we started looking at

innovative companies and got an insight of how things are changing in these companies because of this

new disruption.

We heard everyone and saw that security was a big concern as new startups and even mid-size companies

do not what they are fighting against. The threat vectors have changed, the assets are inter-related that

the vulnerabilities can be exposed from anywhere, not just from your own controlled environment but

from any other device which had an exposed vulnerability. Also the SME’s were worried about the impact

of these security flaws as physical involvement is involved this may cause fatal injuries to an individual as

well. We dug into the IoT hacking blogs, read the news articles for last 4 years and marked out 40 breaches

and the hacking attempts made by the hackers or even by the research institutes which exposed a lot of

information for us to conduct our research. We collected data from January 1st, 2012 to February 26th,

2016 and covered 40 breaches/hack attempts in this entire span. (refer Figure7)

We realized there was a lot of overlapping information between the news information and the hacking

public disclosures. We started collecting as much data as we can for all the hacks that were made open

on the public forum. We got partial information for the company name, date of the hack, when the fix

was done, cost of the product, hacking steps etc as shown in the blueprint below.

We soon realized that the one thing that was consistent was the vulnerabilities, and one product hack

was having more than one vulnerability. Hence we thought of going forward with product vulnerabilities

as the target variable and started the process of cleaning and standardizing the data.

This data was then fed and compared with the data from OWASP which has proposed ten classes of

vulnerabilities and had several examples of vulnerabilities that goes into each of these classes. We

compared and matched our findings to the ones proposed by OWASP. In this process we also found that

there are several new vulnerabilities that have not been covered by OWASP and hence we created a new

class for the unmapped OWASP vulnerabilities. To summarize following steps were performed as part of

the research methodology:

1. Search conducted in social media, websites, blogs and research institutes to find out of the

potential breach or the hack of an IoT device.

2. Classification the hack as a potential IoT hack was performed.

3. A standard template was created capturing all the relevant information from several sources of

every IoT hack.

4. Parameters like cost, brand, date of hack, date of fix, vulnerabilities, hacking steps, impact,

remedial steps taken etc were captured

5. Missing data was not ignored. It was captured and recorded as ‘missing’.

6. OWASP top 10 vulnerability classes for IoT was segregated into 41 examples and compared with

the findings.



7. Vulnerabilities of the hacks were mapped with OWASP examples (for IoT) and unmapped ones

were captured in a new class.

8. Verticals were taken as standard from HBR and placed in the data sheet.

ASSUMPTIONS AND LIMITATIONS

We assume that the knowledge shared in the public forum by the news websites, hackers and the research

institutes is reliable and does not have any invalid information. Any decisions taken on the basis of this

report must take the reasonable amount of risk of the reliability of information available in public domain

into the consideration. The numbers of hacks can be more in this span, and may cater to different

vulnerabilities; but the ones we have found in our six months of research are taken into consideration in

this report. The vulnerability mapping from the text and to the OWASP classes have been done very

carefully and tried to standardize to make it possible for the researchers to work on this report and create

new security models.

All data and percentages for this study were drawn from the available public information on IoT breaches

happened during this period. While there could be certainly large numbers of IoT breaches in the market,

and that number continues to move upwards on a daily basis, we believe that the similarity in results of

this subset provides a good snapshot of where the market currently stands with respect to security in the

internet of things.

DATA COLLECTION AND ANALYSIS

Documented in 2014, OWASP identified 10 major categoriesxxii of vulnerabilities for Internet of things in

IoT Top 10 which are summarized below:

1. Insecure Web Interfaces: An insecure web interface can be present when issues such as account

enumeration, lack of account lockout or weak credentials are present. Insecure web interfaces

are prevalent as the intent is to have these interfaces exposed only on internal networks, however

threats from the internal users can be just as significant as threats from external users.

Insecure Web Interface Count Sno of Product (Refer to Appendix A)

Account Enumeration 0 NA

Weak Default Credentials 17 3,4,5,7,9,11,12,13,14,16,17,18,22,24,29,35,36

Credentials Exposed in Network Traffic 5 2,11,19,26,38

Cross-site Scripting (XSS) 0 NA

SQL-Injection 2 14,34

Session Management 0 NA

Account Lockout 0 NA

2. Insufficient Authentication/Authorization: Authentication may not be sufficient when weak

passwords are used or are poorly protected. Insufficient authentication/authorization is prevalent

as it is assumed that interfaces will only be exposed to users on internal networks and not to

external users on other networks.



Insufficient Authentication/Authorization Count Sno of Product (Refer to Appendix A)

Lack of Password Complexity 5 4,31,33,34,35

Poorly Protected Credentials 7 4,11,14,19,20,33,38

Lack of Two Factor Authentication 3 36,39,40

Insecure Password Recovery 0 NA

Privilege Escalation 0 NA

Lack of Role Based Access Control 2 29,38

3. Insecure Network Services: This class deals with insecure network services which may be

susceptible to buffer overflow attacks or attacks that create a denial of service condition leaving

the device inaccessible to the user. Denial of service attacks against other users may also be

facilitated when insecure network services are available. Insecure network services can often be

detected by automated tools such as port scanners and fuzzers.

Insecure Network Services Count Sno of Product (Refer to Appendix A)

Vulnerable Services 0 NA

Buffer Overflow 2 6,19

Open Ports via UPnP 4 12,13,16,38

Exploitable UDP Services 1 24

Denial-of-Service 1 7

DoS via Network Device Fuzzing 1 34

4. Lack of Transport Encryption: Lack of encryption at the transport layer allows data to be viewed

as it travels over local networks or the internet. Lack of transport encryption is prevalent on local

networks as it is easy to assume that local network traffic will not be widely visible, however in

the case of a local wireless network, misconfiguration of that wireless network can make traffic

visible to anyone within range of that wireless network.

Lack of Transport Encryption Count Sno of Product (Refer to Appendix A)

Unencrypted Services via the Internet 14 4,2,3,15,16,23,27,29,31,32,33,34,35,39

Unencrypted Services via the Local Network 1 1

Poorly Implemented SSL/TLS 7 1,8,10,16,21,23,34

Misconfigured SSL/TLS 1 27

5. Privacy Concerns: Concerns over the privacy are generated by the collection of personal data in

addition to the lack of proper protection of that data is prevalent.

Privacy Concerns Count Sno of Product (Refer to Appendix A)

Collection of Unnecessary Personal Information 3 10,27,29



6. Insecure Cloud Interface: An insecure cloud interface is present when easy to guess credentials

are used or account enumeration is possible.

Insecure Cloud Interface Count Sno of Product (Refer to Appendix A)

Account Enumeration 0 NA

No Account Lockout 0 NA

Credentials Exposed in Network Traffic 0 NA

7. Insecure Mobile Interface: An insecure mobile interface is present when easy to guess credentials

are used or account enumeration is possible. Insecure mobile interfaces are easy to discover by

simply reviewing the connection to the wireless networks and identifying if SSL is in use or by

using the password reset mechanism to identify valid accounts which can lead to account

enumeration.

Insecure Mobile Interface Count Sno of Product (Refer to Appendix A)

Account Enumeration 1 14

No Account Lockout 0 NA

Credentials Exposed in Network Traffic 1 24

8. Insufficient Security Configurability: Lack of permitted security configurations is present when

users of the device have limited or no ability to alter its security controls.

Insufficient Security Configurability Count Sno of Product (Refer to Appendix A)

Lack of Granular Permission Model 3 15,17,20

Lack of Password Security Options 2 4,15

No Security Monitoring 0 NA

No Security Logging 0 NA

9. Insecure Software/Firmware: The lack of ability for a device to be updated presents a security

weakness on its own. Software/Firmware can also be insecure if they contain hardcoded sensitive

data such as credentials.

Insecure Software/Firmware Count Sno of Product (Refer to Appendix A)

Encryption Not Used to Fetch Updates 1 5

Update File not Encrypted 3 6,19,29

Update Not Verified before Upload 5 9,15,16,18,23

Firmware Contains Sensitive Information 2 6,23

No Obvious Update Functionality 2 12,29



10. Poor Physical Security: Physical security weaknesses are present when an attacker can

disassemble a device to easily access the storage medium and any data stored on that medium.

Poor Physical Security Count Sno of Product (Refer to Appendix A)

Access to Software via USB Ports 1 29

Removal of Storage Media 2 18,29

11. New Unmapped Vulnerabilities: 24 vulnerabilities have been found that are not mapped against

any OWASP defined classes.

New Class Count Sno of Product (Refer to Appendix A)

Poor Physical Design 2 1,20

Lack of technical support for products from 3rd Party sellers 1 5

Lack of secured re-authetication 3 11,25,32

Taking device down in presence of fake strong signal (Disassociation) 1 11

OS Command Injection 2 18,19

Authentication By-Pass 4 18,19,21,37

XML Injection 1 23

Reverse Engineering and Code Modification 5 24,30,31,34,35

Fail unsecure 1 25

Not able to turn off feature 1 28

Vulnerable and unrestricted API 3 28,39,37

RESULTS FROM THE RESEARCH

As the race between Time to Market and Security Controls gains popularity, it is important to understand

what exactly the security concerns are and where a company should be investing its resources the most.

For this the past experience or the history of hacks among the IoT devices play its crucial role. It’s hard to

ignore the public findings. Also as we read that the industry security papers and models are based on a

report that covered just ten devices, hence we should take into account the movement that has happened

in the last two years and the adapt to the new vulnerabilities and prioritize according to the time and

money a company wants to spend on the security.



Figure8: OWASP Vulnerabilities Classes for IoT and research findings

In the Figure8 we can see that various classes of OWASP has different examples of vulnerabilities

associated to it. We can clearly see that some of the examples are far more common than the others. If

an organization covers the weak default credentials and unencrypted services via the internet, they can

cover over 30% of the vulnerabilities stated by OWASP. We see a lot of startups focusing on base level

security controls as they do not want to delay in the production. Though we strongly believe that security

has to be involved in the entire IoT ecosystem, these startups can prioritize their efforts based on the

image shown above.

Figure9: New vulnerabilities

In the process of aligning the found vulnerabilities from the findings of 40 IoT devices, we saw that many

of them do not belong to any of the defined OWASP class. Hence we created a new class (Figure9) and



collected these unmapped findings into it. There are almost 20% vulnerabilities, which are not covered by

OWASP in its 2014 Top 10 Internet of Things Vulnerabilities class. Hence a business should not just blindly

create a security model based on the defined classes, but in fact it should cater to these new findings as

well. Therefore we propose to redefine the security models based on the findings of this report.

Figure10: Summarized findings against each OWASP vulnerability class

Summarizing, we see in Figure10 that not all the classes of OWASP have been equality mapped in the

recent hacks of the IoT devices. Some of the vulnerabilities have been exploited a lot in the recent time.

This gives a clear image where the focus should be and helps to redefine development of IoT products in

a different way. The following bubble chart highlights the seriousness of the problem and serve as a

starting point for the discussion on the state of the security at present and what the focus area should be

for companies in future. Clearly figure11 highlights that the area of the few classes like – Insufficient

Authentication/Authorization, Insecure Web Interface, Lack of transport encryption and new class of

vulnerabilities account for the majority of the findings.



Figure11: Bubble chart highlighting focus areas

As the data collected has other variables too, hence we can play around with it, to gather more findings,

like the one shown below. We see a lot of hacks were done on the connected home appliances. 84

vulnerabilities were found in this vertical, where some of them mapped to the existing OWASP classes,

some of them were put in the new vulnerability class which does not map to any of the existing classes. A

lot of interesting findings came out in this analysis as shown in Figure12, 24% of the connected home

vulnerabilities were associated to the new class. The image shown below tells us the distribution of this

vertical with this new vulnerability (unmapped) class. As we can see, a lot of connected home devices

were exposed to reverse engineering and code modification vulnerability.



Figure12: Connected homes having new vulnerabilities not covered by OWASP

This gives a clear picture that not only the existing OWASP classes needs to be revised but also a new

category needs to be created. A reassessment of the standardized vulnerabilities should be done and with

every new hack, we get new learnings and these learnings have to be added in the standards. As the

number of organizations across all domains like healthcare, smart appliances, industrial automation,

logistics, manufacturing, energy, insurance, vehicles etc. gear up for this third wave of Internet, they

should now what they are fighting against in terms of security issues. A latest report of the security

breaches or even hacks from the research institutes give a lot of information on product development

strategy.

New businesses should revamp their security models based on the above mentioned report. Also a

genuine effort should be made to make the security issues available in public so that the research

organizations can do the analysis and come up with new numbers which can help not only the business

but also the society as a whole.



RECOMMENDED FUTURE WORK

We invite researchers to work on the data provided in this report and come up with more and more

findings. Few of the examples can be the cost of the product parameter and the vertical against the

vulnerability of the associated product. This can reveal trends in the vulnerabilities in terms of cost

categories which tells us that with low cost products what are the most significant security issues.

Also OWASP clearly defines the impact of each vulnerability class. This vital information can be related

with the impact parameter in the OWASP to prioritize the vulnerability classes based on their

corresponding impact parameter. Hence risk modelling can be done on top of this data. Also we invite

researchers to create new security models by looking at the likelihood of the different vulnerabilities

where the impact factor can be taken from OWASP defined top 10 IoT vulnerabilities.

Further, the upcoming IoT devices should not only rely on the above findings but also look at the industry

papers which have defined few security controls which can act as best practices like secure booting, access

control, device authentication, firewalling and IPS (Intrusion Prevention Systems) and updates and

patches. There are many versions of the future security controls but it has always been seen that the past

gives us the direction and tells us sets our focus in the right way. This report serves as a medium to guide

the future research and highlights the variances of the report made in the past based on the current

findings. This is an evolving process and we will continue to work with the industry to help in creating

adaptive security models.



REFERENCES

i Source: Verizon: State of the Market THE INTERNET OF THINGS 2015

http://www.verizonenterprise.com/resources/reports/rp_state-of-market-the-market-the-internet-of-things-2015_en_xg.pdf ii Gartner August 2015 http://www.gartner.com/newsroom/id/3114217

iii International Data Corporation, “IDC’s Worldwide Internet of Things Taxonomy,2015 iv http://www.internetsociety.org/sites/default/files/ISOC-IoT-Overview-20151022.pdf

vInternet of Things – From Research and Innovation to Market Deployment, Chapter 2 ©2014 River Publishers. All rights reserved

vi http://www.gartner.com/it-glossary/internet-of-things vii Kevin Ashton, “That ‘Internet of Things’ Thing,” RFID Journal, July 22, 1999 viii EY Cyber-Security and the Internet of Things

http://www.ey.com/Publication/vwLUAssets/EY-cybersecurity-and-the-internet-of-things/$FILE/EY-cybersecurity-and-the-internet-of-things.pdf

ix An executive’s guide to the Internet of Things - Jacques Bughin, Michael Chui, and James Manyika (McKinsey Quarterly 2015) x Internet of Things – From Research and Innovation to Market Deployment, Chapter 2 2014 River Publishers. All rights reserved. xi Internet of Things (IoT): A vision, architectural elements, and future directions - Jayavardhana Gubbi, Rajkumar Buyya, Slaven Marusic, Marimuthu Palaniswami xii Internet of Things – From Research and Innovation to Market Deployment, Chapter 2 xiii https://hbr.org/2014/10/the-sectors-where-the-internet-of-things-really-matters/

xiv http://www.digitalservicecloud.com/verticals.html

xv Verizon: Data breach investigation report 2015 [ http://www.verizonenterprise.com/resources/reports/rp_state-of-market-the-market-the-internet-of-things-2015_en_xg.pdf ]

xvi EY Cyber-Security and the Internet of Things


xvii White Paper: The Internet of Things: A CISO and Network Security Perspective

http://www.cisco.com/c/dam/en_us/solutions/industries/docs/energy/network-security-perspective.pdf

xviii Security and privacy challenges in industrial internet of things, Ahmad-Reza Sadeghi1 , Christian Wachsmann2 , Michael Waidner1,3 1Technische Universität Darmstadt, Germany

http://www.verizonenterprise.com/resources/reports/rp_state-of-market-the-market-the-internet-of-things-2015_en_xg.pdf

http://www.gartner.com/newsroom/id/3114217

http://www.internetsociety.org/sites/default/files/ISOC-IoT-Overview-20151022.pdf

http://www.gartner.com/it-glossary/internet-of-things



https://hbr.org/2014/10/the-sectors-where-the-internet-of-things-really-matters/

http://www.digitalservicecloud.com/verticals.html





http://www.cisco.com/c/dam/en_us/solutions/industries/docs/energy/network-security-perspective.pdf



xix The Internet of Things: An Overview, Internet Society (internetsociety.org)

xx HP security report: IoT breaches 2014

http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-4759ENW&cc=us&lc=en

xxi OWASP top 10 IoT vulnerabilities: https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf

xxii https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf

http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-4759ENW&cc=us&lc=en

https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf

https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf



APPENDIX A: OUR FINDINGS FOR EACH HACK

S no Product name Brand Cost of Product Date of Hack Date of Fix Vertical

1 Ring Door Bell Ring $199 1/8/2016 1/13/2016 Connected Homes

Hacking Steps & Related Findings

Device is secured with two Torx T4 screws, Take off the door mounting flip it over and press the orange ‘set up’ button. Pressing the setup button sets the

doorbell’s wireless module.i

Device breached via physical access. Unencrypted storage of local data.

Vulnerabilities (Mapped to OWASP Top 10)

UNENCRYPTED SERVICES VIA THE LOCAL NETWORK

Newly found Vulnerabilities

POOR & INSECURE PHYSICAL DESIGN

Impact Getting the MAC, PSK, SSID in plain-text

Getting WiFi passwords in plain-text

Remedial Steps taken

Free replacement if stolen

Firmware released immediately


2 Nest Thermostat Google $210 1/14/2016 1/20/2016 Connected Homes


Outgoing traffic is secured (port 443 and 9543)

Some of the incoming information like location details sent in clear text Clear text data over

the airii


UNENCRYPTED SERVICES VIA THE LOCAL NETWORK


N/A

Impact Revealing location information of the home and weather station

Revealing including the user’s zip code, in the clear


Bug Fixed, new patch released by company




3 Vizio Smart Tv Vizio $208 NA 11/11/2015 Connected Homes


We can do man-in-the-middle the connection watch the requests repeat them to the server and serve our own fake (static) content back to the TV.

TV sends fingerprints of what you’re watching

Vulnerable to ARP poisoning/spoofing iii


WEAK DEFAULT CREDENTIALS UNENCRYPTED SERVICES VIA THE INTERNET POORLY IMPLEMENTED SSL/TLS


N/A

Impact Gaining access to the victim’s home network Carry all kinds of attacks on the internal network using the TV as a launching pad for malware




4 iBaby Baby monitors iBaby M6 $180 9/29/2015 NA Connected Homes


8 Hexadecimal characters make up the object ID

This object ID is passed on the URL

Brute force attack to see other user's video content

Access a camera’s details, including video-recording filenames: http://www.

ibabycloud.com/cam/index/camid/

serial_number/camtype/cam_type

[any authenticated user]

Access a camera’s video recording:http://d3a9yv3r4ycsw2.cloudfront.net/

monitor/alert/serial_number/filename[no authentication required]

Predictable public information leak. Direct object reference vulnerability iv




POORLY PROTECTED CREDENTIALS WEAK DEFAULT CREDENTIALS LACK OF PASSWORD COMPLEXITY LACK OF PASSWORD SECURITY OPTIONS UNENCRYPTED SERVICES VIA THE INTERNET


N/A

Impact Any authenticated user to the ibabycloud.com service is able to view camera details for any other user


No data


5 Foscam Baby monitors Foscam $40 5/1/2014 NA Connected Homes


Normally when a manufacturer pushes a firmware update, they cryptographically sign the update and the device checks the signature and will refuse the update if it doesn’t have the signature.

Foscam will accept just about anything. Weakness in the camera’s software design

Factory issued password, anyone could sign into any Foscam with the password “admin.”

Foscam doesn’t have a direct relationship with many customers, who buy their cameras

from resellers like Amazon or Best Buy, hence can't send them the updates/patches. v


ENCRYPTION NOT USED TO FETCH UPDATES WEAK DEFAULT CREDENTIALS


LACK OF TECHNICAL SUPPORT FOR PRODUCTS FROM 3RD PARTY SELLERS

Impact Hacking the camera and scaring the babies. Video watched by hackers


More test centres opened

WARNINGs on Foscam web services

Allows users to put their own passwords




6 TRENDNET IP CAMERAS TRENDNET $139 1/10/2012 2/14/2012 Connected Homes


Steps for Vulnerability 1, Hackers deconstructed Trendnet camera's firmware, manually inspecting the enclosed files. This inspection revealed multiple CGI scripts used for requesting live video. Trendnet had left a folder called 'anony' (as in anonymous access). In that folder is a file named mjpg.cgi.

A request to that file returns a live video stream for the cameras. Vul 1. Hackers gain unauthorized access to TRENDnet’s IP Camera video feeds by exploiting a security vulnerability and outdated firmware installed in the cameras.

Vul 2. Prone to a stack-based buffer overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory

buffer. vi


BUFFER OVERFLOW FIRMWARE CONTAINS SENSITIVE INFORMATION UPDATE FILE NOT ENCRYPTED


N/A

Impact Unauthorized access to thousands of at-home IP camera feeds Failed exploit attempts will result in denial-of-service conditions.


Trendnet ceased shipments of all affected models in 2012, and pulled any remaining cameras from store shelves.

Sent emails to registered camera users to install a updated firmware which had fixed security vulnerability

S no Product name Brand Cost of Product

Date of Hack Date of Fix Vertical

7 Smart Fridge Undisclosed brand NA 1/19/2014 NA Connected Homes


Attacker hijacks devices remotely to send spam -- incorporating over 100,000 devices between 23 December and 6 January, including routers, multimedia centers, televisions and at least one refrigerator. Misconfiguration and the use of default passwords had left

them open on public networks and therefore vulnerable to this kind of attack. vii


WEAK DEFAULT CREDENTIALS DENIAL-OF-SERVICE


N/A



Impact The attack sent out over 750,000 spam emails, in bursts of 100,000 emails at a time, three times a day, with no more than 10 emails sent from any one IP address, making them difficult to block. Over 25 per cent of the emails were sent from devices that weren't conventional computers or mobile devices


No data


8

Samsung model RF28HMELBSR Fridge SAMSUNG $3,599 12/23/2013 NA Connected Homes


"Security vulnerability Allow an attacker located between the user and the Internet, also known as a Man-in-the-Middle (MITM) attack"

"Device does not validate SSL certificates, opening the opportunity for hackers to access the network and monitor activity for the user name and password used to link the

refrigerator to Gmail." viii


POORLY IMPLEMENTED SSL/TLS


N/A

Impact Stolen gmail credentials


No data


9 CANON PIXMA Cameras CANON $45 9/15/2014 9/9/2014 Connected Homes


"Attackers triggered a firmware update enabling them to change the printer’s Web proxy settings and the DNS server. If these can be changed, then the hacker can redirect where the printer goes to check for new firmware, and there’s nothing to prevent a malicious person from providing malicious firmware." "PIXMA’s Web interface doesn’t require user authentication, allowing anyone to connect to the interface. The issue is with the firmware-update process over the Internet. Firmware

could be changed easily in absence of authentication procedures. " ix




UPDATE NOT VERIFIED BEFORE UPLOAD WEAK DEFAULT CREDENTIALS


N/A

Impact Hackers can not only print hundreds of pages, but also trigger a firmware update enabling them to change the printer’s Web proxy settings and the DNS server. If these can be changed, then the hacker can redirect where the printer goes to check for new firmware, and there’s nothing to prevent a malicious person from providing malicious firmware.


Fix promised by CANON



10 SAMSUNG smart TV SAMSUNG $4,200 2/9/2015 NA Connected Homes


Samsung Stores user voice data generated from Smart TVs in 3rd party servers "TV was uploading audio files in an unencrypted form Data being sent is a mix of XML and

some custom binary data packet" x


COLLECTION OF UNNECESSARY PERSONAL INFORMATION POORLY IMPLEMENTED SSL/TLS


N/A

Impact Data susceptible to compromise while in transit due to no encryption for data on the move





11 iKettle Wifi Electric Kettle Smarter $150 10/19/2015 11/1/2015 Connected Homes


Attackers setup a malicious network and fake access point with the same name and SSID but with a stronger signal that the iKettle connects to before sending a disassociation packet that will cause the device to drop its original wireless link. Placing with a directional antenna, point it towards kettle, kettle drops its present home access point, it connects to the stronger malicious network with same name once connected, Couple of more commands(Including one entering a default password to access the kettle) in telnet can cause it to disclose the wifi password in plaintext to attackers. "Lack of encryption in wifi access points, Use of default passwords to control the device

through mobile App" xi




WEAK DEFAULT CREDENTIALS CREDENTIALS EXPOSED IN NETWORK TRAFFIC POORLY PROTECTED CREDENTIALS


LACK OF SECURED RE-AUTHETICATION TAKING DEVICE DOWN IN PRESENCE OF FAKE STRONG SIGNAL (DISASSOCIATION)

Impact Stolen home wifi passoword





12

INTEL X86 architecture devices, Routers, STBs INTEL NA 11/26/2013 12/12/2013 Connected Homes


The worm propagates by exploiting the PHP 'php-cgi' Information Disclosure. Vulnerability (CVE-2012-1823) through http POST requests. "PHP is prone to an information-disclosure vulnerability. Exploiting this issue allows remote attackers to view the source code of files in the context of the server process. This may allow the attacker to obtain sensitive information and to run arbitrary PHP code on the

affected computer; other attacks are also possible" xii


WEAK DEFAULT CREDENTIALS NO OBVIOUS UPDATE FUNCTIONALITY OPEN PORTS VIA UPNP


N/A

Impact Sensetive information compromised in related systems.


No data of known fixes released by company



13 JEEP CHEROKEE FIAT CHRYSLER $25,000 7/10/2015 7/21/2015 Connected Cars




Hack uses the Uconnect (internet connected computer feature) system as a gateway into the car and then gains access to the Jeep’s infotainment system headunit. Once there, the firmware of the headunit is re-written, which allows access to the entire CAN bus of the car — essentially, the car’s nervous system. The multimedia system of Jeep was hacked through its Wi-Fi connection Wi-Fi password for Chrysler’s cars is generated automatically, based on the time when the car and it’s multimedia system the head unit — is turned on for the very first time. If you know the year when the car in question was manufactured and if you successfully guess the month you can bring the count down to just 15 million combinations. If you suppose the time was during the day, it gets you to about 7 million combinations. For a hacker, this number is

pretty workable — you can brute force it within an hour." xiii


WEAK DEFAULT CREDENTIALS OPEN PORTS VIA UPNP


N/A

Impact Control of the media systems, wipers, brakes, throttle and even some limited control (in reverse only, for now) of the steering.


Vehicle software update released for improved security protection to reduce the potential risk of unauthorized access/control 1.4 million vehicles recalled to fix the bug Users requested to install the updated vehicle software Company took network-level security measures”—presumably deployed security tools that detect and block the attack on Sprint’s network, the cellular carrier that connect Chrysler’s vehicles to the Internet.



14 Hello Barbie VTECH $75 11/15/2015 12/4/2015 Others


"Hackers used SQL injection to compromise the vulnerable Vtech mobile App. This App combines the current time with a pseudorandom number generator: a “cryptographically insecure method to encrypt the data which is security vulnerability." The app creates an MD5 hash of the KidConnect username, in uppercase, and a constant value. But MD5 is notoriously weak, and using the company's own name as a variable in that process likely makes the result easier to crack. Second reason being, use of weak

random numbers to encrypt data. xiv


WEAK DEFAULT CREDENTIALS SQL-INJECTION POORLY PROTECTED CREDENTIALS MOBILE INTERFACE: ACCOUNT ENUMERATION


N/A



Impact Personal data of 5 million parents and over 200,000 children leaked from VTech. Hackers also managed to get hold of potentially tens of thousands of photos of children. Emails and chats of vtech users also compromised


Problem fixed in newer versions. New measures for the strengthening security around user registration information and other services within Learning Lodge.


Date of Hack

Date of Fix Vertical

15

Progressive Snapshot Dongle, Metromile Pulse OBD dongle

Progressive Insurance, Metromile Insurance NA 1/15/2015 8/15/2015

Connected Cars


-Dongle was connected to the car system via OBD port. - Manually extracted the firmware from dongle, Manipulated it. After gaining complete “root” access on any of the dongles, Mobile Devices dongles were configured to accept commands via SMS, a protocol with virtually no authentication. By sending texts to the devices from a certain phone number, anyone could rewrite their firmware or simply begin issuing commands to a connected car. “Developer” mode was enabled in dongles, allowing anyone who scanned for the devices to access them via SSH, a common protocol for remotely communicating with a computer. They stored the same private key on every device, which a hacker could immediately extract to gain complete “root” access on any of the dongles. - Dongle was insecure integrated with the canbus of vehicle (which connected and gave this device unlimited access to brakes, ECU, Speed,Park assist steer) with no

Security controls implemented." xv


LACK OF GRANULAR PERMISSION MODEL UNENCRYPTED SERVICES VIA THE INTERNET LACK OF PASSWORD SECURITY OPTIONS UPDATE NOT VERIFIED BEFORE UPLOAD


N/A

Impact Control of brakes, throttle, ECU, Vehicle speed for over two million vehiclesin which such dongles have been installed


Metromile released updated software for its Pulse dongle No update on Progressive insurance snapshot dongle



16

LCA 3 Lifecare infusion pump /Symbiq Series pumps Hospira $2,200 4/8/2015 NA Health Care




1. Hospitals use the communication modules on the main board to update the libraries on the pumps. But the communication modules are connected via a serial cable to a circuit board in the pumps, which contains the firmware. Hospira uses this serial connection to remotely access the firmware and update it. 2. These libraries basically define the functioning of the pumps. But the communication modules are connected to hospital networks, which are in turn connected to the Internet. 3. So hackers can wirelessly access hospital internal networks and get access to these communication modules to upload manipulated drug library to update the device firmware. Instead of ideally accepting only authenticated and digitally signed legitimate firmware updates. Hospira’s pumps accept any update, which means anyone can alter the software on the pumps. 1. The ability to forge drug library updates to the infusion pump 2. Unauthenticated telnet shell to root to the communications module 3. Identical hardcoded credentials (service credentials) across different device lines 4. Identical private keys across different device lines 5. Identical encryption certificates across different device lines 6. A slew of outdated software (>100 different vulnerabilities) Among the vulnerabilities are a plaintext password that Hospira hardcoded into its software, which an unskilled attacker could use to exploit a SQL database in the system and gain administrative control over the MedNet server. The system has hardcoded cryptographic keys that can be captured by an attacker and used to decrypt communication between the server and the pumps. The system also stores usernames and passwords in plaintext. All of these, along with another vulnerability Rios found in the MedNet system would allow an attacker to run malicious code on the server and take control of it to distribute rogue drug libraries to the

pumps or alter their configurations.xvi


POORLY IMPLEMENTED SSL/TLS UPDATE NOT VERIFIED BEFORE UPLOAD OPEN PORTS VIA UPNP UNENCRYPTED SERVICES VIA THE INTERNET WEAK DEFAULT CREDENTIALS


N/A

Impact A hacker could not only change the dosage of drugs delivered to a patient but also alter the pump’s display screen to indicate a safe dosage was being delivered.


Hospira denied security flaw, No fix provided. More vulnerabilities emerged in newer Hospira's Symbiq series of pumps, still no action

S no Product name Brand Cost of Product Date of Hack

Date of Fix Vertical

17 TrackingPoint Self aiming TP750 Rifle TrackingPoint $13,000 7/10/2015 NA Others




1. By accessing gun through wifi, a hacker can treat the gun as a server and access APIs to alter key variables in its targeting application. (The hackers were able to find those changeable variables by dissecting one of the two rifles they worked with, using an eMMC reader to copy data from the computer’s flash storage with wires they clipped onto its circuit board pins.) 2. Through the Wi-Fi connection, an attacker could also add themselves as a “root” user on the device, taking full control of its software, making permanent changes to its targeting variables, or deleting files to render the scope inoperable. If a user has set a PIN to limit other users’ access to the gun, that root attack can nonetheless gain full access and lock out the gun’s owner with a new PIN. The attacker can even disable the firing pin, a computer controlled solenoid, to prevent the gun from firing. Wi-Fi, which is off by default in the rifle. When the Wi-Fi is on, the gun’s network has a

default password that allows anyone within Wi-Fi range to connect to it. xvii


WEAK DEFAULT CREDENTIALS LACK OF GRANULAR PERMISSION MODEL


N/A

Impact Can change variables in the scope’s calculations that make the rifle inexplicably miss its target Hit the new maliciously configured target Permanently disable the scope’s computer, or even prevent the gun from firing Attacker can just lock out the user or erase the gun’s entire file system


Company pledges to develop a software update. Due to financial difficulties, No update on patch as of yet


18 D-Link Wi-Fi camera D link $30 12/2/2015 NA Connected Homes


1. Hackers Physically accessed D-link camera 2. Copied all the data from its flash memory chip in order to manipulate it. 3. Accessed the firmware and manipulate the update firmware file in it used to performed verification and update of the firmware. 4. Add a backdoor connect back Socketsecure proxy into the firmware file which will enable attacker to remotely access the device functions via communicating with backdoor proxy. 5. Using the telnetd / busybox / netcat we can bring back a telnet socket to an outside host to have remote persistence to the webcam. 6. With the webcam acting as a proxy, the attacker can now send control traffic into the network to advance his attack, and likewise use the webcam to siphon out stolen data. 7. All 16 vulnerable D-Link models contained a hardcoded password -- ""?*"" -- that provides a back door to the devices, which would enable attackers to access their live RTSP video stream. RTSP is an application-level protocol for transferring real-time data. a. Easily manipulatable firmware due to lack security features .(OS command injection) b. Allowing unauthenticated execute arbitrary commands from the administration web interface.



c. Use of hard-coded credentials for authentication with web interface.

d. Information leak through GET request" xviii


UPDATE NOT VERIFIED BEFORE UPLOAD WEAK DEFAULT CREDENTIALS REMOVAL OF STORAGE MEDIA


AUTHENTICATION BY-PASS OS COMMAND INJECTION

Impact Allows attackers to enter and steal information without detection. Using the hardcoded passoword vulnerabillity attackers can access live RTSP video stream remotely. Disables administrator from installing future updates on firmware.


1. Company provides various fixes to the several vulnerabilities 2. But persisting non overlapping security issues emerging over the time in D-Link cameras


19 Vivotek PT7135 camera Vivotek $179 3/6/2013 11/5/2013 Connected Homes


Attack1 (Due to get request data leak) Vivotek cameras store Wireless keys and 3rd party credentials in clear text allowing a remote attacker to obtain sensitive information which might be valuable to perform further attacks. Attack 2 (Due to weak RTSP authentication). After setting up camera with authentication to basic, Cameras RTSP video stream can be accessed remotely without needing to enter any user credentials by just sending a crafted URL to the camera. 1. Plaintext password storage: Sensitive information is stored in files accessible with the URL paths. 2. Remote buffer overflow: There's a buffer overrun in the RTSP service. 3. RTSP authentication bypass: A crafted URL sent to the Vivotek PT7135 camera provides unauthenticated access to the video stream. 4. User credential leaks: Firmware version 0300a on Vivotek cameras allows remote attackers to dump the camera's memory and extract user credentials. 5. Command injection: A binary file in the camera has a flaw allowing remote command

injectio" xix


UPDATE FILE NOT ENCRYPTED POORLY PROTECTED CREDENTIALS BUFFER OVERFLOW CREDENTIALS EXPOSED IN NETWORK TRAFFIC


AUTHENTICATION BY-PASS OS COMMAND INJECTION

Impact Allows unauthenticated remote attacker to bypass the RTSP basic authentication and access the video stream.



Due to get request info leak, attacker could access sensitive information, such as wireless keys and third-party credentials in clear text, and use this information to conduct further attacks.


Bug Fixed, new patch released by company to fix vulnerabilities


20 Smart meters Undisclosed NA 10/16/2014 NA Connected Homes


Step 1. After accessing the meters, hackers found encryption keys in firmware used to scramble all the information that the smart meter shares with communication ""nodes"" sitting higher in the power distribution system. Step 2.Using the keys and the unique identifier associated with each meter it became possible for the researchers to spoof messages being sent from the power-watching device

to a utility company.xx

Step 3. Manipulate the information going out. a. Usage of shared IDs to control accounts, poor protection against tampering and data formats that would be easy to fake. b. Spanish utility company use AES-128 encryption to protect data, but this encryption algorithm is not hard to crack with a brute-force attack.


LACK OF GRANULAR PERMISSION MODEL POORLY PROTECTED CREDENTIALS


POOR PHYSICAL DESIGN

Impact Compromised meters can Under-report energy use or to get someone else to pay their bill by using their ID in messages sent back to the nodes that log usage. With more work it might be possible to find a way to seek out meters and cut off the power they are supplying


Power utility company Started the necessary evaluations to mitigate the risks and improve the security of the devices.



21

Insteon Home Automation Controller Hub (2242-222) Insteon $117 7/26/2013 NA Connected Homes




1. The version released in December 2012 (2422222) does not have the ability to enable or require authentication for web service calls to the device. 2. Attacker could exploit this vulnerability by sending a direct HTTP GET request to the affected Hub allowing unauthorized access to the Hub and obtain device's name, city, and

time zonexxi

3. Any network access to the hub allows full control over all connected devices. The default method of setup requires an externally accessible port to be forwarded to the device; 4. Anyone who can access the device can run amok in your house without the requirement of having proximity access to your home. - The web interface does not require the user to set authentication or authorization to make requests to the Hub. ( Lack of authentication, Lacked default password authentication) - Affected device fails to implement SSL/TLS to encrypt data, which may allow an attacker to sniff network traffic to obtain sensitive information, such as authentication credentials.


POORLY IMPLEMENTED SSL/TLS


AUTHENTICATION BY-PASS

Impact Implement stronger authentication methods for such connected devices. For existing devices who have already have this vulnerability, implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.


The vendor has not confirmed the vulnerability and software updates are not available.



22 My Satis Smart Toilet Lixil $4000 8/15/2013 NA Connected Homes


As such, any person using the "My Satis" application can control any Satis toilet, provided that the toilet is in pairing mode(Pairing is easy since default code is 0000). If the toilet is not in pairing mode, it is still possible to pair with the toilet by observing Bluetooth traffic to learn the toilet's hardware address and pair with the toilet. An attacker can cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. The LIXIL Satis Smart Toilet has a static Bluetooth PIN of “0000” hardcoded into the controlling Android application. This opens up control over the toilet to anyone who has

the freely available “My Satis” Android applicationxxii


WEAK DEFAULT CREDENTIALS


N/A



Impact Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.


No patch or fix released so far by company



23 WeMo “Light Switch” Belkin $50 10/24/2013 2/8/2014 Connected Homes


Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware update 1. Use of Hard-coded Cryptographic Key. 2. Download of Code Without Integrity Check. Belkin Wemo Home Automation devices do not have a local Certificate store to verify the integrity of SSL connections. 3. Cleartext Transmission of Sensitive Information. 4. Unintended Proxy or Intermediary ('Confused Deputy') - Belkin Wemo Home Automation devices use STUN & TURN protocols. An attacker with control of one Wemo device may be able to use the STUN & TURN protocols to relay connections to any other Wemo device. 5. Improper Restriction of XML External Entity Reference ('XXE'). Belkin Wemo Home Automation API server contains a XML injection vulnerability. The peer Addresses API can

be attacked through XML injection, which may reveal the contents of system filesxxiii


UNENCRYPTED SERVICES VIA THE INTERNET POORLY IMPLEMENTED SSL/TLS UPDATE NOT VERIFIED BEFORE UPLOAD FIRMWARE CONTAINS SENSITIVE INFORMATION


XML INJECTION

Impact A remote unauthenticated attacker may be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device for 500,000 users who are connected through wemo switch.


1) An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices. 2) An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack. 3) An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that contains the most recent firmware update.





24 Chamberlain MyQ Garage Chamberlain $130 12/1/2014 1/1/2015 Connected Homes


Reverse engineered devices to decode the communication between mobile applications and devices using unencrypted UDP. By conducting MITM attack, Attackers manipulated the commands reaching the device

from the app.xxiv


WEAK DEFAULT CREDENTIALS EXPLOITABLE UDP SERVICES MOBILE INTERFACE: CREDENTIALS EXPOSED IN NETWORK TRAFFIC


REVERSE ENGINEERING AND CODE MODIFICATION

Impact Vulnerabilities would provide an attacker with the ability to view the current state of the garage door: open, closed, or in motion. It would also allow the attacker to open or close the door and add rules to notify an email address or mobile application (via a push message) when the door is open or closed. MyQ Garage uses unencrypted UDP for communication. An attacker with access to the service’s network traffic can gain information about the state of the doors belonging to all MyQ Garage users as well as corresponding IP addresses. Modify and view history for every user of the MyQ Garage


Representatives from Chamberlain stated that they’ve addressed some or all of the vulnerabilities pointed out in Veracode's report.



25

Comcast XFINITY Home Security System Comcast

Monthly Plan 29$ per month 9/28/2015 NA Connected Homes


1. Commodity radio jamming equipment and software-based deauthentication attacks on the ZigBee protocol itself. 2. By causing a failure condition in the 2.4 GHz radio frequency band, the security system does not fail closed with an assumption that an attack is underway. 3. the system fails open, and the security system continues to report that "All sensors are

in-tact and all doors are closedxxv


N/A


LACK OF SECURED RE-AUTHETICATION FAIL SECURELY



Impact A physically proximate attacker capable of disrupting wireless communications can avoid triggering Home Security system alarm events


Comcast is working with Rapid 7 to find the mitigations steps



26 PixStar Photo Frame PixStar $230 1/19/2016 NA Connected Homes


1. All traffic and feeds (RSS) cleartext over HTTP port 80

2. All actions sent to server in HTTP GET packetxxvi


CREDENTIALS EXPOSED IN NETWORK TRAFFIC


N/A

Impact sensitive information such as the user’s e-mail, user activity and DNS queries sent as cleartext


N/A



27 BMW Combox BMW $323 1/30/2015 1/31/2015 Connected Cars


The attack took advantage of a feature that allows drivers who have been locked out of their vehicles to request remote unlocking of their car from a BMW assistance line. Researchers were able to reverse engineer some of the software that BMW had used for

their telematicsxxvii


UNENCRYPTED SERVICES VIA THE INTERNET MISCONFIGURED SSL/TLS COLLECTION OF UNNECESSARY PERSONAL INFORMATION


N/A

Impact Allow unauthorised attackers to open the vehicles



In Germany, 423,000 vehicles are affected; in Europe 1.2 million and worldwide 2.2 million. Vehicles with production date from 9 December 2014 or later no longer have the manufacturer on these vulnerabilities.


The fix adds HTTPS encryption to the connection from BMW to the car, which runs over the public cellular network. The added encryption will not only safeguard the content of the messages but also ensures that the car only accepts connections from a server with the correct security certificate.


28 Samsung Gear Smart watch Samsung $115 10-Sep-15 NA Wearables


An app that is disguised as a pedometer could collect data from emails, search queries and other confidential documents. To track the micro-motion of keystrokes, the app uses an accelerometer and gyroscope to detect what a wearer types on a keyboard it is imaginable

that hackers could construct a similar app and put it into iTunes and other librariesxxviii


N/A


NOT ABLE TO TURN OFF FEATURE VULNERABLE API

Impact Informotion sensors on the watch could leak information about what you are typing.


N/A



29 Tesla Model S Tesla $100,000 6-Aug-15 NA Connected Cars


1a. A WebKit-based browser, which, on the most recent vehicle we tested is running version 534.34, which is several years old and has multiple known vulnerabilities 1b. Also able to connect to the USB port on the CID’s board and boot the device 1c. One of the memory cards contained a file, carkeys.tar, which included the car’s OpenVPN credentials, specifically an x509 certificate, an RSA private key, and an OpenVPN static key. 2 Insecure DNS Proxy. 3 Insecure HTTP Service 4 center information display (CID)and instrument cluster (IC) were running X11 without any form of access control 5 Information about where to download the car’s firmware from



6 Weak passwords found in Information Cluster (IC)"xxix


WEAK DEFAULT CREDENTIALS UNENCRYPTED SERVICES VIA THE INTERNET ACCESS TO SOFTWARE VIA USB PORTS REMOVAL OF STORAGE MEDIA COLLECTION OF UNNECESSARY PERSONAL INFORMATION NO OBVIOUS UPDATE FUNCTIONALITY LACK OF ROLE BASED ACCESS CONTROL UPDATE FILE NOT ENCRYPTED


N/A

Impact Hackers can remotely cut its engine while someone else was driving Allowing them to dupe the speedometer and other readouts, or even turn off the car remotely once the implant is installed.


Tesla has the ability to quickly and remotely deliver software updates to its vehicles. Car owners only have to click “yes” when they see a prompt asking if they want to install the upgrade



30 LIFX Light Bulb Lifx $68 7/4/2014 NA Connected Homes


One bulb will automatically serve as the ""master,"" communicating directly with your smartphone And then relaying all info to other ""slave"" bulbs. Context's team was able to hack their way in by posing as a new slave bulb and tricking the master bulb into sending

them Wi-Fi credentialsxxx


N/A



Impact Wi-Fi credentials leakage


A firmware update that claims to eliminate the problem had already been issued





31

Chamberlain MyQ INTERNET Gateway

Chamberlain Group Inc. $47 7/4/2015 NA Connected Homes


Perform tests for the vulnerability to interception (man-in-the-middle) Used reverse-engineering techniques to investigate the security of the communication between the mobile applications and the devices. Monitored traffic to and from these

services to assess the security of the devices themselves.xxxi


UNENCRYPTED SERVICES VIA THE INTERNET LACK OF PASSWORD COMPLEXITY



Impact Access to a user’s account would provide an attacker with the ability to view the current state of the paired companion products. An attacker with access to the service’s network traffic can gain information about the activity of the users.


N/A



32 SmartThings Hub Samsung $100 12/02/2015 12/05/2015 Connected Homes


1: There is a designed ""moment of insecurity"" in the Zigbee HA 1.2 specification that uses a well-known symmetric encryption key known as the Trust Center Link Key to distribute a unique network key when a device first joins the network. This is a tradeoff that the ZigBee Alliance chose to make between security and simplicity - with a mitigated impact given that an attacker would have to be capturing ZigBee network traffic at the same time that a new device is being joined to the network. 2: Improper certificate verification: vulnerable procedure called “insecure rejoin”(One other IOT breach had the same issue.)Attackers forced Smart hub to drop its connection to the connected sensors. During the rejoin attacker's device would pretend to have lost key material needed to communicate with SmartThings hub and it will send an unencrypted rejoin request to the gateway or spoof a device on the network to send a false insecure rejoin request, . This causes the hub to send out new keys, a process that should be

protected. xxxii


UNENCRYPTED SERVICES VIA THE INTERNET


LACK OF SECURED RE-AUTHETICATION

Impact Since attackers devices are connected due to spoofed connections, In case of actual home intrusion, No alerts will be shown on User's mobile app .




Samsung issued a statement that they are working to deliver an update as soon as possible. Described as an issue with the Zigbee standard used by many companies across the industry and is not specific to SmartThings.



33 Ubi Voice controlled device UCIC $200 4/7/2015 NA Connected Homes


1. Lack of enforced strong passwords 2. Ubi did not enforce encryption for user connections, exposing them to possible man-in-the-middle (MitM) attacks 3. For front end and back end, Didn't employ encryption for User Connections, again increasing susceptibility to MiTM attacks. 4. Ubi runs both an ADB and a VNC (remote desktop) service with no password exposed ADB interface can provide attackers with root access and can allow them to execute

arbitrary code and commands on the devices.xxxiii


UNENCRYPTED SERVICES VIA THE INTERNET LACK OF PASSWORD COMPLEXITY POORLY PROTECTED CREDENTIALS


N/A

Impact 1. Information gathered from an Ubi device could enable criminals to know when a user is home or not based on ambient noise or light. 2. exploiting vulnerabilities in the Ubi or Wink Relay devices, attackers could turn on their microphones and listen to conversations


No response from company on security vulnerabilities.



34 Wink Hub Wink, Inc. $100 4/7/2015 NA Connected Homes


1. Vulnerable versions of wink could be attacked through HTTP requests The attacker would inject SQL commands to trick SQLite into creating a PHP script on the device. A subsequent request can then trigger execution of the PHP code with root permissions. 2. Gaining root shell access can be used as a pivot point to attack other computers on the

home network or act as a zombie in a DDoS attack. xxxiv

3. Debugging interface left unsecured and exposed to full root access by hackers. 4. No enforced strong passwords 5. connections between the Hub and its back-end services are vulnerable to a man-in-the-middle attack due to lack of TLS certificate validation




LACK OF PASSWORD COMPLEXITY UNENCRYPTED SERVICES VIA THE INTERNET POORLY IMPLEMENTED SSL/TLS SQL-INJECTION DOS VIA NETWORK DEVICE FUZZING



Impact Through MiTM attacks attackers will be able to view and manipulate the state of all products and services paired with every Wink Relay


Wink has issued patches and updates



35 Wink Relay Wink, Inc. $200 4/7/2015 NA Connected Homes


Exploits using open debugging interfaces that could allow remote attackers to run arbitrary code on the device itself such as spyware; serious protocol weakness that allow passive observers to access sensitive data or control of the device; and lack of adherence to best practices to protect users' accounts against weak passwords and common password-

guessing techniques.xxxv


WEAK DEFAULT CREDENTIALS LACK OF PASSWORD COMPLEXITY UNENCRYPTED SERVICES VIA THE INTERNET



Impact Through MiTM attacks attackers will be able to view and manipulate the state of all products and services paired with every Wink Relay


Wink has issued patches and updates



36 Fisher-Price Smart Toy Mattel $100 11/13/2015 1/19/2016 Others


Exploited using Improper Authentication Handling (API) calls were not appropriately verifying the ""sender"" of messages, allowing for a would-be attacker to send requests

that shouldn't be authorized under ideal operating conditions.xxxvi




WEAK DEFAULT CREDENTIALS LACK OF TWO FACTOR AUTHENTICATION


N/A

Impact Wide access to create, edit, or delete children's profiles on a customer's account. (Children's profiles contain names their birthdate, gender, language, and which toys they have played with.) Force the toy to perform actions that the child user didn't intend, interfering with normal operation of the device


Update released by vendor



37 HereO kids smart watch Hereo $180 10/24/2015 12/15/2015 Wearables


Used a Pawn Account and Target's user id to invite and add a unauthorized connection to Target's account". "Authorization Bypass web service (API) calls related to account invitations to a family's group were not adequately protected against manipulation. Through the use of a pawn account that an attacker controls, they are able to send a request for authorization into a family's group they are targeting, but by abusing an API vulnerability, allow their pawn account to accept that request on that targeted family's behalf. Finally attacker could add their account to any family's group, with minimal notification

that anything has gone wrong. xxxvii


N/A


VULNERABLE API AUTHENTICATION BY-PASS

Impact The attacker would have access to every family member's location, location history, and be allowed to abuse other platform features as desired.


Issue resolved as reported by the vendor by patching the servers. No firmware updates were required.



38 BAS ( Building Automation Server) IBM NA 2/13/2016 NA Connected Cities




Pen testing using following exploits and weaknesses 1. Exposed administration ports 2. Bypassing the router login screen 3. Remote command execution on the router 4. Router password in clear text 5. Using the same password for both router and building controller 6. Remote command execution on the building controller 7. Ineffective encryption of central BAS server password

8. Using a wireless router for Internet access"xxxviii


OPEN PORTS VIA UPNP CREDENTIALS EXPOSED IN NETWORK TRAFFIC LACK OF ROLE BASED ACCESS CONTROL POORLY PROTECTED CREDENTIALS


N/A

Impact Exposed building major security controls


No data



39 Samsung TV Samsung $600 8/1/2013 8/28/2013 Connected Homes


1. Authentication packet only needs an IP address, a MAC address and a hostname for authentication. So one can easily break the protocol. 2. Communication protocol does not handle NULL MAC address value authentication and thus any device with NULL MAC address value can connect to the TV. 3. A hacker can hack and install malware through TV’s APIs like File.Unzip or Skype. These can be used to copy files to any writeable file system on the target and install a backdoor. 4. By using MIM attack vulnerabilities a hacker can sniff the data as TV doesn’t check server

certificates. Thus with fake certificates a hacker can easily do Man in Middle attack. xxxix


UNENCRYPTED SERVICES VIA THE INTERNET LACK OF TWO FACTOR AUTHENTICATION


VULNERABLE API

Impact Full access to Smart TV 's Web browser and accessing potentially sensitive data, remote files and information, the drive image and eventually gain root access to the device


Samsung quickly fixed the problem and issued updates for affected TVs



40 Nissan Leaf App Nissan $30,000 2/24/2016 2/26/2016 Connected Cars




Knowledge of a Nissan Leaf's vehicle identification number could use it to manipulate the Leaf App Interface that controls communications between the outside world and car doesn't authenticate users, so anyone with cursory knowledge of a VIN (vehicle Identification number) can access the vehicle via the Nissan Connect app and receive

responses. VINs can often be viewed through the windshield xl


LACK OF TWO FACTOR AUTHENTICATION


N/A

Impact Manipulate heating and air-conditioning functions and potentially drain the electric vehicle's battery view location data from a vehicle's recent trips and obtain private information on a driver's whereabouts.


Nissan has disabled an app used by thousands of Leaf owners after researchers discovered cyber vulnerabilities



APPENDIX B: REFERENCES FOR APPENDIX A

i http://www.cnet.com/news/rings-smart-doorbell-can-leave-your-house-vulnerable-to-hacks/ https://www.techdirt.com/articles/20160112/11405333312/ding-dong-your-easily-hacked-smart-doorbell-just-gave-up-your-wifi-credentials.shtml http://www.cnet.com/products/bot-home-automation-ring/ https://www.pentestpartners.com/blog/steal-your-wi-fi-key-from-your-doorbell-iot-wtf/ http://blog.ring.com/index.php/2016/01/13/100-of-active-ring-video-doorbells-keep-your-wi-fi-password-secure/ ii http://mashable.com/2016/01/20/nest-smart-thermostat-leak/#jhbPYLDr65q5 http://deceive.trapx.com/rs/trapxcompany/images/AOA_Report_TrapX_AnatomyOfAttack-InternetOfThings.pdf https://www.dropbox.com/s/36nxibezelxrduk/FTC-PrivacyCon-2016.pdf https://www.youtube.com/watch?v=-778aD_XVKI iii http://www.itproportal.com/2016/01/19/researchers-hack-smart-tvs-allowing-access-to-entire-home-network/ https://blog.avast.com/2015/11/11/the-anatomy-of-an-iot-hack/ iv https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf http://arstechnica.com/security/2015/09/9-baby-monitors-wide-open-to-hacks-that-expose-users-most-private-moments/ http://fusion.net/story/192189/internet-connected-baby-monitors-trivial-to-hack/ v http://www.forbes.com/sites/kashmirhill/2014/05/27/article-may-scare-you-away-from-internet-of-things/#3e4a022f23dd http://www.computerworld.com/article/2878741/hacker-hijacks-wireless-foscam-baby-monitor-talks-and-freaks-out-nanny.html vi http://www.trendnet.com/langen/press/view.asp?id=1959 http://www.theverge.com/2013/1/22/3902698/trendnet-security-camera-streams-mapped-out http://ipvm.com/reports/trendnet-ip-camera-vulnerability-exposed http://www.trendnet.com/langen/press/releases/view.asp?id=1960 http://www.securityinfowatch.com/news/10628411/trendnet-releases-firmware-upgrade-to-address-security-vulnerability-in-its-residential-security-cameras https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26422 vii http://www.cnet.com/news/fridge-caught-sending-spam-emails-in-botnet-attack/ http://www.huffingtonpost.com/2014/01/23/refrigerator-spam-email-internet-of-things-attack_n_4654566.html viiihttp://www.networkworld.com/article/2976270/internet-of-things/smart-refrigerator-hack-exposes-gmail-login-credentials.html ix http://wirthconsulting.org/2014/09/15/canon-pixma-printer-hacked-to-demonstrate-vulnerability-of-internet-of-things/ http://www.welivesecurity.com/2014/09/16/printer-security/ http://www.darkreading.com/vulnerabilities---threats/internet-of-things-devices-are-doomed/d/d-id/1315735 x http://www.cnet.com/news/samsungs-warning-our-smart-tvs-record-your-living-room-chatter/ https://www.pentestpartners.com/blog/is-your-samsung-tv-listening-to-you/ http://betanews.com/2015/02/19/samsung-lied-its-smart-tv-is-indeed-spying-on-you-and-it-is-doing-nothing-to-stop-that/

http://www.cnet.com/news/rings-smart-doorbell-can-leave-your-house-vulnerable-to-hacks/

https://www.techdirt.com/articles/20160112/11405333312/ding-dong-your-easily-hacked-smart-doorbell-just-gave-up-your-wifi-credentials.shtml

https://www.techdirt.com/articles/20160112/11405333312/ding-dong-your-easily-hacked-smart-doorbell-just-gave-up-your-wifi-credentials.shtml

http://www.cnet.com/products/bot-home-automation-ring/

https://www.pentestpartners.com/blog/steal-your-wi-fi-key-from-your-doorbell-iot-wtf/

http://blog.ring.com/index.php/2016/01/13/100-of-active-ring-video-doorbells-keep-your-wi-fi-password-secure/

http://mashable.com/2016/01/20/nest-smart-thermostat-leak/#jhbPYLDr65q5

http://deceive.trapx.com/rs/trapxcompany/images/AOA_Report_TrapX_AnatomyOfAttack-InternetOfThings.pdf

https://www.dropbox.com/s/36nxibezelxrduk/FTC-PrivacyCon-2016.pdf

https://www.youtube.com/watch?v=-778aD_XVKI

http://www.itproportal.com/2016/01/19/researchers-hack-smart-tvs-allowing-access-to-entire-home-network/

https://blog.avast.com/2015/11/11/the-anatomy-of-an-iot-hack/

https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf

http://arstechnica.com/security/2015/09/9-baby-monitors-wide-open-to-hacks-that-expose-users-most-private-moments/

http://arstechnica.com/security/2015/09/9-baby-monitors-wide-open-to-hacks-that-expose-users-most-private-moments/

http://fusion.net/story/192189/internet-connected-baby-monitors-trivial-to-hack/

http://www.forbes.com/sites/kashmirhill/2014/05/27/article-may-scare-you-away-from-internet-of-things/#3e4a022f23dd

http://www.forbes.com/sites/kashmirhill/2014/05/27/article-may-scare-you-away-from-internet-of-things/#3e4a022f23dd

http://www.computerworld.com/article/2878741/hacker-hijacks-wireless-foscam-baby-monitor-talks-and-freaks-out-nanny.html

http://www.computerworld.com/article/2878741/hacker-hijacks-wireless-foscam-baby-monitor-talks-and-freaks-out-nanny.html

http://www.trendnet.com/langen/press/view.asp?id=1959

http://www.theverge.com/2013/1/22/3902698/trendnet-security-camera-streams-mapped-out

http://ipvm.com/reports/trendnet-ip-camera-vulnerability-exposed

http://www.trendnet.com/langen/press/releases/view.asp?id=1960

http://www.securityinfowatch.com/news/10628411/trendnet-releases-firmware-upgrade-to-address-security-vulnerability-in-its-residential-security-cameras

http://www.securityinfowatch.com/news/10628411/trendnet-releases-firmware-upgrade-to-address-security-vulnerability-in-its-residential-security-cameras

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26422

http://www.cnet.com/news/fridge-caught-sending-spam-emails-in-botnet-attack/

http://www.huffingtonpost.com/2014/01/23/refrigerator-spam-email-internet-of-things-attack_n_4654566.html

http://www.networkworld.com/article/2976270/internet-of-things/smart-refrigerator-hack-exposes-gmail-login-credentials.html

http://www.networkworld.com/article/2976270/internet-of-things/smart-refrigerator-hack-exposes-gmail-login-credentials.html

http://wirthconsulting.org/2014/09/15/canon-pixma-printer-hacked-to-demonstrate-vulnerability-of-internet-of-things/

http://wirthconsulting.org/2014/09/15/canon-pixma-printer-hacked-to-demonstrate-vulnerability-of-internet-of-things/

http://www.welivesecurity.com/2014/09/16/printer-security/

http://www.darkreading.com/vulnerabilities---threats/internet-of-things-devices-are-doomed/d/d-id/1315735

http://www.cnet.com/news/samsungs-warning-our-smart-tvs-record-your-living-room-chatter/

https://www.pentestpartners.com/blog/is-your-samsung-tv-listening-to-you/

http://betanews.com/2015/02/19/samsung-lied-its-smart-tv-is-indeed-spying-on-you-and-it-is-doing-nothing-to-stop-that/

http://betanews.com/2015/02/19/samsung-lied-its-smart-tv-is-indeed-spying-on-you-and-it-is-doing-nothing-to-stop-that/



http://www.theguardian.com/technology/2015/feb/19/samsung-smart-tvs-send-unencrypted-voice-recognition-data-across-internet xi https://www.youtube.com/watch?v=GDy9Nvcw4O4 http://www.theregister.co.uk/2015/10/19/bods_brew_ikettle_20_hack_plot_vulnerable_london_pots/ xii http://news.softpedia.com/news/Linux-Worm-Darlloz-Infects-over-31-000-Devices-in-Four-Months-433242.shtml xiii http://jalopnik.com/chryslers-uconnect-vulnerable-to-remote-hacking-but-do-1719269327 https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/9493/ http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/ http://www.wired.com/2015/12/2015-the-year-the-internet-of-things-got-hacked/ http://media.fcanorthamerica.com/newsrelease.do;jsessionid=5CA5E939C014797474EB47E1AC9B9A4C?&id=16827&mid=1 xiv http://www.usnews.com/news/articles/2015/12/01/vtech-hack-shows-kids-at-risk-with-wifi-toys http://www.bbc.com/news/technology-34944140 http://gizmodo.com/oh-no-hello-barbie-might-have-exposed-information-abou-1746284254 http://motherboard.vice.com/read/how-vtechs-app-failed-miserably-to-protect-the-data-of-kids-and-parents http://motherboard.vice.com/read/how-vtechs-app-failed-miserably-to-protect-the-data-of-kids-and-parents xv https://vimeopro.com/s42012/s4x15-week/video/118408316 http://www.networkworld.com/article/2871485/microsoft-subnet/hackers-could-exploit-security-holes-in-progressive-insurance-snapshot-devices.html http://securityaffairs.co/wordpress/32485/hacking/car-hacking-via-progressive-dongle.html http://www.csoonline.com/article/2872678/internet-of-things/insecure-snapshot-dongle-puts-2-million-cars-at-risk.html https://community.metromile.com/metromile/topics/metromile-pulse-obd-ii-device-security http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/#1415864b7c9f http://www.autoblog.com/2015/01/21/2-million-progressive-snapshot-customers-may-be-at-risk-for-car/ xvihttp://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/ http://www.wired.com/2015/04/drug-pumps-security-flaw-lets-hackers-raise-dose-limits/ http://breakthroughs.kera.org/smart-medical-devices-call-for-smarter-cyber-security/ https://securityledger.com/2015/04/drug-pumps-vulnerable-to-trivial-hacks-dhs-warns/ https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/ http://www.fiercemedicaldevices.com/story/hospira-execs-called-shameful-denying-cybersecurity-risks-posed-their-infus/2015-06-11 xvii http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/ http://www.valuewalk.com/2015/07/wifi-sniper-rifle-changes-targets-after-hack/ xviii https://www.fishnetsecurity.com/6labs/blog/password-disclosure-d-link-surveillance-cameras-cve-2012-4046 http://www.securityweek.com/iot-devices-easily-hacked-be-backdoors-experiment http://www.infoworld.com/article/2613730/intrusion-detection/d-link-firmware-flaws-could-allow-ip-video-stream-spying.html http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities http://www.darkreading.com/vulnerabilities-and-threats/d-link-camera-security-flaw-upgrade-now/d/d-id/1109756?

http://www.theguardian.com/technology/2015/feb/19/samsung-smart-tvs-send-unencrypted-voice-recognition-data-across-internet

http://www.theguardian.com/technology/2015/feb/19/samsung-smart-tvs-send-unencrypted-voice-recognition-data-across-internet

https://www.youtube.com/watch?v=GDy9Nvcw4O4

http://www.theregister.co.uk/2015/10/19/bods_brew_ikettle_20_hack_plot_vulnerable_london_pots/

http://news.softpedia.com/news/Linux-Worm-Darlloz-Infects-over-31-000-Devices-in-Four-Months-433242.shtml

http://news.softpedia.com/news/Linux-Worm-Darlloz-Infects-over-31-000-Devices-in-Four-Months-433242.shtml

http://jalopnik.com/chryslers-uconnect-vulnerable-to-remote-hacking-but-do-1719269327

https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/9493/

http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/

http://www.wired.com/2015/12/2015-the-year-the-internet-of-things-got-hacked/

http://media.fcanorthamerica.com/newsrelease.do;jsessionid=5CA5E939C014797474EB47E1AC9B9A4C?&id=16827&mid=1

http://media.fcanorthamerica.com/newsrelease.do;jsessionid=5CA5E939C014797474EB47E1AC9B9A4C?&id=16827&mid=1

http://www.usnews.com/news/articles/2015/12/01/vtech-hack-shows-kids-at-risk-with-wifi-toys

http://www.bbc.com/news/technology-34944140

http://gizmodo.com/oh-no-hello-barbie-might-have-exposed-information-abou-1746284254

http://motherboard.vice.com/read/how-vtechs-app-failed-miserably-to-protect-the-data-of-kids-and-parents

http://motherboard.vice.com/read/how-vtechs-app-failed-miserably-to-protect-the-data-of-kids-and-parents

https://vimeopro.com/s42012/s4x15-week/video/118408316

http://www.networkworld.com/article/2871485/microsoft-subnet/hackers-could-exploit-security-holes-in-progressive-insurance-snapshot-devices.html

http://www.networkworld.com/article/2871485/microsoft-subnet/hackers-could-exploit-security-holes-in-progressive-insurance-snapshot-devices.html

http://securityaffairs.co/wordpress/32485/hacking/car-hacking-via-progressive-dongle.html

http://www.csoonline.com/article/2872678/internet-of-things/insecure-snapshot-dongle-puts-2-million-cars-at-risk.html

http://www.csoonline.com/article/2872678/internet-of-things/insecure-snapshot-dongle-puts-2-million-cars-at-risk.html

https://community.metromile.com/metromile/topics/metromile-pulse-obd-ii-device-security

http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/#1415864b7c9f

http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/#1415864b7c9f

http://www.autoblog.com/2015/01/21/2-million-progressive-snapshot-customers-may-be-at-risk-for-car/

http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/

http://www.wired.com/2015/04/drug-pumps-security-flaw-lets-hackers-raise-dose-limits/

http://breakthroughs.kera.org/smart-medical-devices-call-for-smarter-cyber-security/

https://securityledger.com/2015/04/drug-pumps-vulnerable-to-trivial-hacks-dhs-warns/

https://xs-sniper.com/blog/2015/06/08/hospira-plum-a-infusion-pump-vulnerabilities/

http://www.fiercemedicaldevices.com/story/hospira-execs-called-shameful-denying-cybersecurity-risks-posed-their-infus/2015-06-11

http://www.fiercemedicaldevices.com/story/hospira-execs-called-shameful-denying-cybersecurity-risks-posed-their-infus/2015-06-11

http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/

http://www.valuewalk.com/2015/07/wifi-sniper-rifle-changes-targets-after-hack/

https://www.fishnetsecurity.com/6labs/blog/password-disclosure-d-link-surveillance-cameras-cve-2012-4046

http://www.securityweek.com/iot-devices-easily-hacked-be-backdoors-experiment

http://www.infoworld.com/article/2613730/intrusion-detection/d-link-firmware-flaws-could-allow-ip-video-stream-spying.html

http://www.infoworld.com/article/2613730/intrusion-detection/d-link-firmware-flaws-could-allow-ip-video-stream-spying.html

http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities

http://www.darkreading.com/vulnerabilities-and-threats/d-link-camera-security-flaw-upgrade-now/d/d-id/1109756




xix https://tools.cisco.com/security/center/viewAlert.x?alertId=31638 http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities http://www.coresecurity.com/advisories/vivotek-ip-cameras-rtsp-authentication-bypass http://www.darkreading.com/vulnerabilities-and-threats/d-link-camera-security-flaw-upgrade-now/d/d-id/1109756? xx http://www.bbc.com/news/technology-29643276 http://securityaffairs.co/wordpress/29353/security/smart-meters-hacking.html xxi http://www.securityfocus.com/bid/61580/discuss

https://tools.cisco.com/security/center/viewAlert.x?alertId=33393

https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf

https://packetstormsecurity.com/files/122658/INSTEON-Hub-2242-222-Lack-Of-Authentication.html

xxii http://www.forbes.com/sites/kashmirhill/2013/08/15/heres-what-it-looks-like-when-a-smart-toilet-gets-hacked-video/#578d56e92b15 https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2013-020/?fid=3872 http://www.bbc.com/news/technology-23575249 xxiii http://www.networkworld.com/article/2226371/microsoft-subnet/500-000-belkin-wemo-users-could-be-hacked--cert-issues-advisory.html http://hackaday.com/2013/01/31/turning-the-belkin-wemo-into-a-deathtrap/ http://www.kb.cert.org/vuls/id/656302 http://hackaday.com/2015/11/17/belkin-wemo-teardown/ http://www.networkworld.com/article/2226374/microsoft-subnet/belkin-fixes-wemo-security-holes--updates-firmware-and-app.html xxiv http://www.techhive.com/article/2906664/many-connected-home-devices-lack-robust-security-features-security-firm-claims.html https://www.veracode.com/sites/default/files/Resources/Whitepapers/internet-of-things-whitepaper.pdf http://abc7chicago.com/technology/home-hackers-digital-invaders-a-threat-to-your-house/515520/ xxv https://community.rapid7.com/community/infosec/blog/2016/01/05/r7-2015-23-comcast-xfinity-home-security-system-insecure-fail-open xxvi https://www.dropbox.com/s/36nxibezelxrduk/FTC-PrivacyCon-2016.pdf

xxvii http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-

2540957.html

https://www.adac.de/infotestrat/adac-im-einsatz/motorwelt/bmw-

luecke.aspx?ComponentId=227555&SourcePageId=6729

xxviii http://www.techworm.net/2015/09/smartwatches-vulnerable-to-hacking-says-researchers.html

xxix http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/

https://blog.lookout.com/blog/2015/08/07/hacking-a-tesla/

https://tools.cisco.com/security/center/viewAlert.x?alertId=31638

http://www.coresecurity.com/advisories/vivotek-ip-cameras-multiple-vulnerabilities

http://www.coresecurity.com/advisories/vivotek-ip-cameras-rtsp-authentication-bypass



http://securityaffairs.co/wordpress/29353/security/smart-meters-hacking.html

http://www.securityfocus.com/bid/61580/discuss





http://www.networkworld.com/article/2226374/microsoft-subnet/belkin-fixes-wemo-security-holes--updates-firmware-and-app.html

http://www.networkworld.com/article/2226374/microsoft-subnet/belkin-fixes-wemo-security-holes--updates-firmware-and-app.html

http://abc7chicago.com/technology/home-hackers-digital-invaders-a-threat-to-your-house/515520/

https://community.rapid7.com/community/infosec/blog/2016/01/05/r7-2015-23-comcast-xfinity-home-security-system-insecure-fail-open

https://community.rapid7.com/community/infosec/blog/2016/01/05/r7-2015-23-comcast-xfinity-home-security-system-insecure-fail-open

http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html




http://www.techworm.net/2015/09/smartwatches-vulnerable-to-hacking-says-researchers.html

http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/

http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/



xxx http://www.contextis.com/resources/blog/hacking-internet-connected-light-bulbs/

xxxi https://www.veracode.com/sites/default/files/Resources/Whitepapers/internet-of-things-whitepaper.pdf

http://www.forbes.com/sites/thomasbrewster/2016/02/17/samsung-smartthings-vulnerabilities/#54567ec94e59

https://community.smartthings.com/t/security-of-smartthings-ecosystem/30827

http://bsidesvienna.at/slides/2015/zigbee_smart_homes_a_hackers_open_house.pdf

xxxii https://www.veracode.com/sites/default/files/Resources/Whitepapers/internet-of-things-whitepaper.pdf

http://www.pcworld.com/article/2906952/researchers-show-that-iot-devices-are-not-designed-with-security-in-

mind.html

http://www.cnet.com/news/security-study-highlights-vulnerabilities-in-popular-smart-home-devices/

xxxiii https://www.veracode.com/sites/default/files/Resources/Whitepapers/internet-of-things-whitepaper.pdf

http://www.pcworld.com/article/2906952/researchers-show-that-iot-devices-are-not-designed-with-security-in-

mind.html

http://www.cnet.com/news/security-study-highlights-vulnerabilities-in-popular-smart-home-devices/

xxxiv https://www.veracode.com/sites/default/files/Resources/Whitepapers/internet-of-things-whitepaper.pdf

http://www.networkworld.com/article/2952718/microsoft-subnet/security-holes-in-the-3-most-popular-smart-

home-hubs-and-honeywell-tuxedo-touch.html

http://www.theregister.co.uk/2015/07/23/home_hub_insecurity_iot_stalking/

xxxv https://www.veracode.com/sites/default/files/Resources/Whitepapers/internet-of-things-whitepaper.pdf

http://www.networkworld.com/article/2906723/microsoft-subnet/attackers-can-stalk-or-rob-you-by-exploiting-

iot-device-security-and-privacy-flaws.html

https://securityledger.com/2015/04/research-iot-hubs-expose-connected-homes-to-hackers/

http://www.networkworld.com/article/2952718/microsoft-subnet/security-holes-in-the-3-most-popular-smart-

home-hubs-and-honeywell-tuxedo-touch.html

http://www.theregister.co.uk/2015/07/23/home_hub_insecurity_iot_stalking/

xxxvi http://www.eweek.com/security/fisher-price-smart-teddy-bear-latest-iot-toy-under-hacker-scrutiny.html

http://www.zdnet.com/article/two-newly-discovered-security-flaws-light-fire-under-internet-of-things-again/

xxxvii http://www.bbc.com/news/technology-35472884

https://community.rapid7.com/community/infosec/blog/2016/02/02/security-vulnerabilities-within-fisher-price-

smart-toy-hereo-gps-platform

http://www.pcworld.com/article/3028763/security/flaws-in-smart-toy-back-end-servers-puts-kids-and-their-

families-at-risk.html

xxxviii http://www.techrepublic.com/article/ibm-x-force-finds-multiple-iot-security-risks-in-smart-buildings/

http://public.dhe.ibm.com/common/ssi/ecm/wg/en/wgl03110usen/WGL03110USEN.PDF?

http://www.contextis.com/resources/blog/hacking-internet-connected-light-bulbs/

https://www.veracode.com/sites/default/files/Resources/Whitepapers/internet-of-things-whitepaper.pdf
























http://www.techrepublic.com/article/ibm-x-force-finds-multiple-iot-security-risks-in-smart-buildings/

http://www.techrepublic.com/article/ibm-x-force-finds-multiple-iot-security-risks-in-smart-buildings/



xxxix http://money.cnn.com/2013/08/01/technology/security/tv-

hack/index.html?section=money_topstories&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed

%3A+rss%2Fmoney_topstories+%28Top+Stories%29

http://mashable.com/2013/08/02/samsung-smart-tv-hack/#1qOEieho_gqx

https://www.facebook.com/l.php?u=https%3A%2F%2Fgithub.com%2FiSECPartners%2Fpublications%2Fblob%2Fm

aster%2Fpresentations%2FiSEC-Hacking-A-SmartTV-Toorcon15.pdf&h=OAQHTOw9I&s=1

xl http://www.foxnews.com/leisure/2016/02/26/nissan-disables-leaf-app-due-to-hacking-concerns/?intcmp=hpff http://www.autoblog.com/2016/02/24/nissan-leaf-app-cyber-vulnerability/

http://www.autoblog.com/2016/02/24/nissan-leaf-app-cyber-vulnerability/

internet of things research study - enterpricegrc · internet of things – research study...

Documents