Recently the US House of Representatives passed the “Internet of Things Cyber Security Improvement Bill” (September 14, 2020), which sets security standards for IoT devices connected to the federal network and in China the Ministry of Industry and Information Technology has announced the promotion of the overall development of the mobile IoT especially in the field of NB-IoT, 4G and 5G. Globally the requirements for vulnerability management for IoT devices are in full swing.
Recently the home IoT market is booming. IoT devices are produced only in Northeast Asia such as China, Taiwan, and Korea. Due to the cost factors, it is often designed without considering security in IoT products. Generally IoT devices have different Operating Systems and applications in comparison with those existing PCs. Hence the vulnerability management is seriously needed.
What is the vulnerability of IoT devices?
The infringement accidents targeting IoT devices are mainly caused by poor management, such as using default accounts or passwords that are easy to guess, or “vulnerabilities of the device itself”.
IoT device’s vulnerabilities are sometimes created by manufacturers for the convenience of management and service support, such as backdoors, when released with accounts or settings created for developer’s convenience with the zero security consideration.
What are the problems caused by the failure to manage vulnerabilities?
IoT devices having poor and unmanaged security are exposed to their system access by the account information acquired from the Internet. This information is mainly used as a hacker's attacking tool.
IoT hacking is frequently aimed at individuals' privacy rather than corporates, or public institutions. The biggest problem is that if the home network is hacked, the IoT device can be arbitrarily manipulated. The lighting control, gas valve operation, door opening, etc. can seriously affect the individuals’ safety. In particular, the personal devices with weak security need to be taken care of cautiously, as the relevant hacking damages can be extended to other devices, or users.
Reviewing the cases of IoT hacking up to now, the most of problems relate IP cameras, smart toys, and personal CCTVs. There have been many cases in which smart toys were abused for remote control via their built-in microphones and speakers and the personal information stored in servers were stolen. Especially IP cameras were the frequent infringement target, enabling the hacker’s theft of personal information and access to the web server remotely. This is extremely dangerous, since not to mention personal information, but the privacy can be infringed.
Until today there is no institute, or website providing the full vulnerability information found in IoT devices. There are approximately 200,000 cases known as CVEs to date. We see that the number of vulnerabilities related to IoT devices is 45,000 only. Among them, the number of vulnerabilities that can be identified online, such as service port vulnerabilities excluding offline vulnerabilities, is estimated to be 6,000 only. Norma has consistently compiled a fully accrued list of IoT vulnerabilities that have occurred worldwide since 2015 and is proud to have such enormous data base in relevant to IoT vulnerabilities.
What are the problems caused by the failure to manage vulnerabilities?
IoT devices having poor and unmanaged security are exposed to their system access by the account information acquired from the Internet. This information is mainly used as a hacker's attacking tool.
IoT hacking is frequently aimed at individuals' privacy rather than corporates, or public institutions. The biggest problem is that if the home network is hacked, the IoT device can be arbitrarily manipulated. The lighting control, gas valve operation, door opening, etc. can seriously affect the individuals’ safety. In particular, the personal devices with weak security need to be taken care of cautiously, as the relevant hacking damages can be extended to other devices, or users.
Reviewing the cases of IoT hacking up to now, the most of problems relate IP cameras, smart toys, and personal CCTVs. There have been many cases in which smart toys were abused for remote control via their built-in microphones and speakers and the personal information stored in servers were stolen. Especially IP cameras were the frequent infringement target, enabling the hacker’s theft of personal information and access to the web server remotely. This is extremely dangerous, since not to mention personal information, but the privacy can be infringed.
Until today there is no institute, or website providing the full vulnerability information found in IoT devices. There are approximately 200,000 cases known as CVEs to date. We see that the number of vulnerabilities related to IoT devices is 45,000 only. Among them, the number of vulnerabilities that can be identified online, such as service port vulnerabilities excluding offline vulnerabilities, is estimated to be 6,000 only. Norma has consistently compiled a fully accrued list of IoT vulnerabilities that have occurred worldwide since 2015 and is proud to have such enormous data base in relevant to IoT vulnerabilities.
