In a two-month analysis of Internet of Things device traffic that was picked up on its cloud service, network and Internet security company Zscaler identified various IoT connected devices that were exhibiting potentially dangerous behaviors. Many of these devices were using plain-text HTTP protocol for authentication or firmware updates, leaving them susceptible to sniffing and man-in-the-middle attacks, warned Zscaler in a research blog post.
"At a bare minimum, IoT devices should start using SSL (HTTPS) for communication with the parent site for authentication and software updates," said Deepen Desai, senior director of security research at Zscaler, in an email interview with SC Media. "These devices should also have an additional encryption layer. What's more, security should be integrated into software and hardware design. Right now, it's an afterthought rather for most IoT device vendors."
Although the massive Oct. 21 Mirai DDoS attack against DNS service provider Dyn occurred during the course of the study, which took place from Aug. 26 to Oct. 26, Zscaler concluded that the devices it observed were likely not recruited into the IoT botnet responsible for disabling multiple major websites. Nor did they appear to be used in the earlier Mirai botnet used to attack security researcher Brian Krebs' website in September.
Among the offenders that Zscaler highlighted were surveillance cameras from Flir, Foscam, Dahua Technology and Axis Communications. According to Zscaler, the Flir FX wireless HD monitoring camera was found communicating over plain-text HTTP with its corporate server, without authentication tokens. Meanwhile, the Foscam IP surveillance camera was observed leaking user credential information over HTTP in the URI (Uniform Resource Identifier), the Dahua DH Security Camera used weak default credentials and communicated over HTTP, and the remote management console for Axis Communications' cameras was using only basic HTTP-based authentication.
Zscaler also found problems with smart TVs and entertainment devices; printers; digital and network video recorders; and IP phones:
- The Haier Android TV smart TV product was found using outdated libraries which could be exploited to hijack the system.
- Fuji Xerox print monitors were observed connecting to maintenance logging modules without authentication.
- The VideoEdge NVR product from American Dynamics and D-Link's DNR-202L recording device both used weak default credentials and communicated over HTTP during the study.
- Both Panasonic KX-TGP500B04 and Yealink SIP-T46G IP phones were found relying on basic HTTP-based authentication. The Panasonic product was also observed downloading a root certificate via insecure HTTP.
To address some of these security issues, Zscaler recommended in its blog post that IoT manufacturers automate security and firmware updates and require users to change default passwords upon installation. The company also urged IoT users to restrict external network access to their connected devices, change their default credentials, install devices on isolated or segregated networks, restrict devices' incoming and outgoing traffic, and update devices regularly.
A spokesperson for D-Link sent the following comment to SC Media in response to Zscaler's findings: "We are continuing to monitor D-Link's complete product portfolio to ensure that any vulnerabilities discovered are addressed. In the meantime, recommendations to help users secure their wireless network include always creating strong, advanced passwords on both the home router and all connected devices."
Tyco Security Products, the parent company of American Dynamics, also reacted to the report. Kristy Dunchak, director of product management, integration solutions & programs at Tyco, told SC Media that the issue raised in the Zscaler report is addressed by the Video Edge Security Audit page, which gives users visibility into the use of default passwords, the status of ports and protocols, and user security configurations such as password complexity, auto logout and account lockout.
"Tyco Security Products is committed to cybersecurity," said Dunchak. "We developed a holistic Cyber Protection Program, which combines best practices in secure product development, testing and evaluation, rapid response to potential vulnerabilities, and configuration guidelines for compliance."
In comments emailed to SC Media, Axis Communications disputed Zscaler's finding that the remote management console for its cameras uses basic HTTP-based authentication. "Axis cameras by default use HTTP/HTTP digest authentication. While HTTP digest authentication provides a minimal amount of additional protection, it does prevent the username and password from traversing the network as plain text," said Ryan Zatolokin, senior systems and solutions architect at Axis.
"Axis devices also prompt the user to change the password the first time the device is logged into. At this time, the option is also given to enable HTTPS," Zatolokin continued. "Cybersecurity is of the highest priority at Axis Communications and we work diligently to stay ahead of the latest threats."
SC Media has reached out to publicly listed media contacts for the various IoT manufacturers named in Zscaler's report, and will update the story upon receiving additional responses.
UPDATE 11/17: SC Media has updated the story numerous times to incorporate comments from D-Link, Tyco Security Products and Axis Communications.
UPDATE 11/23: D-Link contacted SC Media again to announce that it has released a DNR-202L firmware update (version 2.04) that addresses the reported issue.