7,339 Vulnerabilities Underneath the Christmas Tree

Dec 10, 2020
4
min read
TablE of contents
P R E S S R E L E A S E7,339 Vulnerabilities Underneath the Christmas Tree
This year again, every German will spend an on Christmas presents. Technical gadgets such as interactive toys, smart household appliances or networked consumer electronics will often be found underneath the Christmas tree. IoT Inspector has therefore examined popular items from (including those from the USA and Germany) and came to frightening results: Each of these products has hundreds of vulnerabilities that, in the worst case, allow attackers access to the devices. The attackers are then able to access or integrate hijacked devices into their botnets.
could easily redirect data traffic and inject malwareattackers could gain unauthorized network access
IoT Inspector’s security experts examined a fictitious gift basket containing from renowned manufacturers. They found a total of . In most cases, outdated software with known vulnerabilities was used, sometimes even in the latest firmware version. However, the investigation also identified previously unknown vulnerabilities, which were immediately reported to the manufacturers. In addition, the specialists discovered inadequate maintenance accesses that allow attackers to remotely control the device. In the worst-case scenario, this could allow the devices to or be used as a weapon for attacks on other targets.
“Unfortunately, we discovered that often not even basic security principles are met: For example, manufacturers sometimes use unencrypted transport routes for their firmware updates. Cyber criminals into the devices”, explains Rainer M. Richter, Managing Director of IoT Inspector GmbH. “With some devices, the Wi-Fi password of the user is also stored in plain text. In conjunction with other vulnerabilities, the password can easily be read out and . These are typical reasons why the vulnerabilities of IoT devices have become one of the main entry points for attackers.”
The following devices were examined:
“,” says Richter. “.”
In principle, should be exercised with IoT devices and a separate network segment should be set up for these. In addition, buyers should follow these tips:
IoT Inspector Identifies Dangerous Flaws in Popular Gifts Like Networked Children’s Toys, Smart Speakers or Hobby Drones!
Not only no-brand goods affected by vulnerabilities / Even products from well-known manufacturers show blatant security gaps average of 280 euroswell-known manufacturersprivate networks, steal data, manipulate devices6 random products = 7,000 vulnerabilities
six productsover 7,000 vulnerabilitiesspy on their owners
The vulnerability shopping list
- Smart speaker with voice control from a well-known German manufacturer: 1,634 vulnerabilities
- As “safe” advertised messenger for children of a worldwide leading provider of educational toys: 1,019 vulnerabilities
- Drone of one of the largest providers in this area: 1,250 vulnerabilities
- Smart home camera system of a US industry giant: 1,242 vulnerabilities
- Pet surveillance camera, which is often used as baby cam: 643 vulnerabilities
- Streaming device for children advertised with ” highest data security”: 1,551 vulnerabilities
What you can do
caution- Check if the manufacturer has a website. Many manufacturers who sell their products on the usual online marketplaces are ominous vendors without a website or contact options.
- Check if the manufacturer provides regular firmware updates (preferably automated).
- Change the password immediately if the device is delivered with a default password.
- Find out how much personal information and data you provide to a device. For which purpose does the device need this data and where is it stored (only locally or also in the cloud)? Many devices work with face, voice or fingerprint recognition or take pictures and videos of your house, family, children. Ask yourself if a device really needs all this information.
- Be aware of the attack surface. For example, the range (and thus the attack surface) of Bluetooth connections is five to ten meters; with a Wi-Fi connection, it’s up to a hundred meters. A device controlled online via an app can potentially be attacked from anywhere in the world.

About Onekey
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

CONTACT:
Sara Fortmann
Senior Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
team@euromarcom.de
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.