IoT Security Flaw Leaves 496 Million Devices Vulnerable At Businesses: Report
Nearly a half-billion Internet of Things devices are vulnerable to cyberattacks at businesses worldwide because of a 10-year-old security flaw, according to a new report from a security software vendor.
The report was published Friday by Armis, a provider of Internet of Things security software for enterprises that focuses on detecting threats in IoT devices at workplaces. The Palo Alto, Calif.-based company has previously made security disclosures, including the BlueBorne malware attack that impacted 5 billion IoT devices.
The web exploit in question is called DNS rebinding, an attack first disclosed at the RSA Conference in 2008 that allows an attacker to bypass a network firewall and use a victim's web browser to access other devices on the network. The attacker can gain access to the web browser through a malicious link enclosed within an email, banner ad or another source. This can leave devices susceptible to data exfiltration, compromise and hijacking, the latter of which could lead to a botnet attack similar to the Mirai malware that took down major websites in 2016.
[Related: 5 Major IoT Challenges Executives Are Grappling With]
Armis said the kinds of devices impacted are far broader than the findings in June from a group of university researchers and independent researcher Brannon Dorsey, both of whom focused on the impact of DNS rebinding to home IoT devices like Google Home and Sonos Wi-Fi Speakers, as well as Wi-Fi routers.
"New devices make old security exposures new again," said Michael Parker, Armis' vice president of marketing.
Dorsey, in his blog post, left open the possibility that more devices could be impacted beyond the ones he tested.
"If companies with such high profiles are failing to prevent against DNS rebinding attacks there must be countless other vendors that are as well," he wrote in June. Dorsey did not respond to a request for comment on Armis' report.
According to the Armis report, the impacted devices include 87 percent of switches, routers and access points; 78 percent of streaming media players and speakers; 77 percent of IP phones; 75 percent of IP cameras; 66 percent of printers; and 57 percent of smart TVs.
Combined, the total number of impacted devices comes out to 496 million devices, according to Armis, which said the estimate is conservative and was determined using a variety of publicly available market data sources.
CRN is reaching out to representative manufacturers of these devices for comment. Armis said it did not notify manufacturers because the DNS rebinding vulnerability for consumer IoT devices was disclosed in June and because of the large number of manufacturers impacted.
One of the defining characteristics for vulnerable devices is an unencrypted web server, according to Armis. These devices can also be vulnerable if they are set with the default password. In addition, these devices are agentless, meaning companies cannot install security software on them.
There have been no documented attacks on IoT devices using this exploit, according to Armis.
"This is something we want to get ahead of," Parker said.
Parker said companies have a few options to mitigate the impact of the DNS rebinding exploit. For starters, they can do some level of DNS filtering. They can also follow security best practices and do things like randomizing device passwords and taking inventory of all the devices in the workplace.
But Parker pointed to Armis' agentless IoT security platform as a bigger solution because of how it monitors devices for suspicious behavior on and off the network and how it integrates with Cisco, Palo Alto Networks and other networking vendors.
Another vendor that takes an agentless approach to IoT security is ForeScout Technologies.
Mark Jones, CEO of Black Lake Security, an Austin, Texas-based managed security services provider and ForeScout partner, told CRN he isn't surprised to hear that the DNS rebinding exploit is having a broader impact on IoT devices. He said he had been discussing the enterprise implications of the DNS rebinding exploit with his team.
"It's an easier way for attackers to gain access," he said.
Jones said connected devices in the workplace have remained an afterthought from a security perspective for many businesses, even as billions of new devices come online, which creates a new opening for attackers.
While IoT is a growing concern for many companies, few are taking any action, according to a May survey published by cybersecurity firm Pwnie Express.
One service Black Lake provides for customers is an IoT assessment that gives businesses a true look at all the connected devices on their network. Often, businesses are surprised to learn there are more than they ever realized.
"Every time their eyes are wide open, saying, 'I had no idea there were this many devices,'" Jones said. "It's a big eye-opener, and it's a big problem to solve."
To Jones, the proliferation of IoT devices, as well as the increasing popularity of remote work and personal devices in the workplace, shows that the old perimeter method of firewall security is "collapsing."
"When it comes to IoT, don’t just turn your head," Jones said. "A lot of bigger firms understand this, but for a lot of people this is still new."