Smart IoT devices are likely the weakest link in your network. Hackers can abuse something as seemingly benign as a network-connected thermostat to gain unauthorized access, install malware, or brick the devices.
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning about a newly discovered critical vulnerability in Network Thermostat X-Series WiFi thermostats, which are widely used in industrial and commercial environments in the US and Canada.
If such a thermostat is exposed to the internet, it’s a sitting duck for attackers. Even if it is protected under the firewall, hackers in the network can find a use for it.
“The embedded web server on the thermostat … contains a vulnerability that allows unauthenticated attackers, either on the local area network or from the internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.
The flaw, discovered by Souvik Kandar, a security researcher at MicroSec, has been assigned a severity rating of 9.8 out of 10. The researcher said that attackers can gain full admin access.
It’s not the first thermostat granting hackers complete remote control. Last year, Bitdefender warned about Bosch thermostats that enabled unauthenticated hackers to run arbitrary firmware and totally compromise the device.
And thermostats represent just one component in the rapidly growing pile of IoT devices.
Kandar also disclosed to CISA another severe remote code execution flaw affecting the LG Innotek camera model LNV5110R firmware. This end-of-life CCTV solution is also widely deployed in many companies.
A malicious actor can upload an HTTP POST request to the device's non-volatile storage, which would allow the actor to run arbitrary commands on the target device at the administrator privilege level.
Kandar sees even greater dangers in many networks
“Smart TVs are the weakest link in your home and office network,” yet another post from the same researcher claims.
It’s “shockingly easy” to hack a Smart TV using Android Debug Bridge (ADB) without any password or warnings, and smart TVs “are everywhere,” including boardrooms, hospitals, airports, control rooms, etc.
Hackers can abuse an open port for remote control and gain an entry point for larger attacks on other systems, and proof of concept is already on YouTube.
“So you bought a Smart TV – nice! You basically gave hackers VIP access to your living room. Thanks to open ADB ports, remote exploits, and zero security by default, many Smart TVs are easier to hack than your cousin’s Minecraft server,” Kandar, who already uncovered 21 Common Vulnerabilities and Exposures (CVEs), writes.
And many more highly exploitable IoT devices lurk deep inside enterprise and infrastructure premises, rarely updated, and trusted by default.
“Home users should closely monitor IoT devices and isolate them as completely as possible from the local network,” Bitdefender recommended.
All IoT device owners should check for firmware updates and patch the devices as soon as new versions are released.
Cybernews previously reported that Cyber pros avoid smart devices for a good reason – each new device provides additional attack vectors for attackers.
Minimize exposure
CISA recommends that vulnerable device users take defensive measures to minimize the risk of exploitation of the flaws.
“Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet,” CISA urges.
Companies should keep smart devices and their control systems behind firewalls and separate them from the main business network. If the remote access to them is really required, users should ensure they use secure methods, such as virtual private networks (VPNs).
VPNs themselves may have vulnerabilities and should be updated to the most current version available.
“Recognize that VPNs are only as secure as the connected devices,” CISA said.
No known public exploitation targeting the newly disclosed vulnerabilities has been reported to CISA at this time.
Your email address will not be published. Required fields are markedmarked