IoT Devices with Unpatched Vulnerabilities Are a Growing Danger

The Internet of Things is growing every day, and all kinds of "smart" consumer devices are connecting to the internet. But such technological progress brings risks: Often, these devices expose vulnerabilities that attackers can exploit. These vulnerabilities can be found both in the operating systems of the IoT devices, and in the applications they run.

It is imperative that, as the Internet of Things grows, awareness and visibility of known vulnerabilities grow as well.

IoT Devices Are Vulnerable

Recently, IoT vulnerability issues have been in the spotlight with the release of the WikiLeaks article "Vault 7: CIA Hacking Tools Revealed." The unprecedented scale of the hacking activities has drawn much attention since the article was published on March 7th.

According to WikiLeaks, the Center for Cyber Intelligence (CCI), the hacking arm of the CIA, had more than 5,000 registered users who collectively created more than a thousand hacking tools to hack various platforms and devices. WikiLeaks also revealed that the CCI used more lines of code than the amount of code necessary to run Facebook.

On the victim list are several well-known technology companies, including Samsung, Google, Microsoft, and Cisco. IoT devices such as smart TVs, smartphones, and routers are the major targets of these hacks.

Even Apple iOS, widely recognized as the most secure mobile operating system, was compromised by this attack. The CIA's Mobile Development Branch reportedly had a dedicated team that specialized in developing zero-day exploits to infect Apple devices. In response, Apple pointed out that most of the identified vulnerabilities of iOS have been addressed in the latest patches.

This incident is yet another demonstration that in many cases, hackers are the first to discover system vulnerabilities — often before IoT device manufacturers or software vendors.

Even if the manufacturers are already aware of the vulnerabilities, as in the case of the Apple iOS vulnerabilities, end users often remain unaware of them and haven't patched them yet.

According to a survey by SolarWinds based on data collected by its LOGICnow database, fewer than 80% of Windows operating systems were patched within the first seven days after the patch had been released. Keep in mind that this was a survey targeting commercial organizations. When it comes to smart device consumers, the device patching cycle could be much longer and the patching rate could be much lower.

Patching Vulnerabilities Is Essential

The importance of properly patching IoT and smart devices cannot be overstated, and such patching is not just necessary at the operating system level — application vulnerabilities are often neglected.

Many infamous exploit kits target web browsers, office productivity applications, Java, and other commonly used applications to implant malware.

While it's hard for an end user to keep all their devices and application patches up to date, it's even harder for an IT manager to keep dozens, or thousands, of IT devices fully patched and updated. With the growing popularity of BYOD (Bring Your Own Device), all kinds of smart devices with various vulnerabilities are swarming into the office environment, making IT administrators' jobs more challenging.

How to Identify and Patch Vulnerabilities

Before IT teams can address these vulnerabilities, the first step is to "see" them.

The OPSWAT Vulnerability Engine helps IT administrators quickly identify all known vulnerabilities in applications. The Vulnerability Engine can not only examine application code, but also do a deep analysis of binaries. It can assess vulnerabilities in an installer package even before the application is installed.

The OPSWAT Vulnerability Engine can support client device forensic assessment, portable media scanning, and web proxy protection.