Internet security researchers say they have identified software weaknesses that put millions of smart devices at risk for attacks, or hacking.
The security weaknesses, also known as vulnerabilities, could be used by hackers to attack business or home computer networks.
The report, by cybersecurity company Forescout Technologies, says the affected devices were built by an estimated 150 manufacturers.
Many devices are designed for personal use and include the ability to control home cameras and temperature controls from a distance, the report said. Companies use similar devices in security systems, heating and cooling equipment, printers and servers.
There is no evidence that any attacks have already been carried out on the vulnerable devices. But the risks pointed out in the report led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory warning.
In the advisory, CISA suggests that defensive measures should be taken to lessen the risks of hacking. Specifically, the agency said industrial control systems should not be accessible from the internet and should be separated from company networks.
Awais Rashid is a computer scientist at Britain’s Bristol University who examined the report’s findings. He told The Associated Press that in the worst case, control systems that drive “critical services” - such as water, power and self-operating building equipment - could be damaged.
Rashid said the discovery shows the dangers cybersecurity experts often find in internet-linked devices designed without much attention to security. Careless programming by developers appears to be the main issue in this case, he added.
Dealing with the problem is especially complex because the vulnerabilities are found in so-called open-source software. Open-source means the software is free to use and that the program that was first created can be changed by anyone.
In this case, the issue relates to internet software that runs communications through a technology called TCP/IP. This technology uses a set of rules that control the connection of computer systems to the internet.
Elisa Costante is vice president of research for Forescout. She told the AP the fact that open-source software is not owned by anyone makes the problem difficult to solve. In addition, some of the vulnerable TCP/IP methods used are twenty years old.
This means it is up to device manufacturers to fix the vulnerabilities themselves and some may not have the time or money to do so, Costante said.
The vulnerabilities could leave business networks open to destructive denial-of-service attacks. Computer systems could also be infected with ransomware or other tools that permit attackers to take over devices.
Experts say the risks are even higher now with so many people working from home during the coronavirus pandemic. This could permit attackers to hack into home networks and use this as a pathway into company networks.
[December 12, 2020]