IoT Device Vulnerabilities

Kindus has previously discussed how IoT devices have become targets for hacker attacks. The 2023 Microsoft Digital Defense Report highlights further issues caused by outdated or unpatched IoT systems.

Microsoft’s data comes from its own Defender for IoT sensors software.  This works by uploading the firmware directly and then scanning and reporting on weaknesses detected.  It is a particular benefit to anyone creating their own IoT device software as the process often involves an established SDK and some of these are outdated and vulnerable; for example the drag and drop logic controller code builder CODESYS v3.  Using Defender for IoT is a wise precaution to take when deploying new software but it might not be possible to extract completely firmware from an existing device and then run Microsoft’s checks.  Of the firmware examples that have been tested by Microsoft 32% were found to be vulnerable to known hacker exploits but within systems that could be patched.  A further 46% were not only vulnerable but no longer supported and impossible to patch.  Patching IoT firmware can be a much more complex process than downloading and installing personal computer OS updates.  It may be possible to push updates across the network but in the worst case devices will need to be taken off-line and individually connected to another machine loading the patch.

Patching may be further limited by legal or industry needs for software to meet specific requirements such as SIL2 Safety Certification.  SIL is Safety Integrity Level, there are 4 levels from 1 to 4 with 4 being the most vigorous.  SIL2 is the standard used in the petrochemical and hazardous chemical sectors. It is a measure of the ability of the device not to fail dangerously (perhaps leading to a fire) or at least to control the consequences of any such failure.  If updated software is available but it cannot be proven that this meets industry regulations then its potential deployment will be limited.

An example of outdated software still in relatively widespread use is the Boa web server.  In November 2022 Microsoft discovered one million internet-exposed Boa web servers.  The purpose of a web server on an IoT device is to allow connection through a remote web browser with the relative convenience of a graphical interface for control and reporting.  The Boa code has not been updated since 2005; its vulnerabilities include the ability to access files outside the directories used by the web interface itself as well as the susceptibility to SQL injection attacks that are blocked by more advanced database servers.  There is no way to update the code issues within Boa.  If it cannot be replaced within firmware the only viable approach is to set complex Boa passwords and to change them regularly.

Even the practice of not connecting devices to any external network, air gapping, might not be enough to prevent their becoming compromised.  Such devices would still be susceptible to attacks through computers or removable storage devices used to update the network or from insider attacks.  This was the case with the Kudankulam Nuclear Power Plant attack (pictured at the head of this article) in India in 2019.  Here the attack was through a work computer infected with malware that had been connected to the ‘isolated’ network.

Organisations need to be aware of the software in use within their IoT systems.  Software components such as Boa may be unknowingly present as it is bundled within device operating systems.  Solutions can be run to search for systems such as Boa or for open ports although any systems administrator needs to research what to look for.  Software should be updated regularly.  Where hardware constraints mean that this is not possible every effort must be made to restrict access to the system.  The Kudankulam example is proof that a system should never be assumed to be hacker proof.



More from Security


eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post


Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus