Most IoT equipment is vulnerable to hacking
Security experts urged IoT device manufacturers to do more to secure root-level access to connected equipment. According to Okta CEO Marc Rogers, the vast majority of IoT equipment in homes and offices is vulnerable to attacks that make it easy to take control and manipulate them for malicious purposes. The portal DarkReading informs about it.
According to the specialist, he could get full root-level access, including the ability to flash, on 10 of the 12 devices tested. Most of them were completely hacked in less than five minutes. Products he tested included home routers, switches, access card readers, and other commonly installed devices connected to the Network.
The problem is that most of the sensitive information about a device, including certificates, keys, and communication protocols, is usually stored in poorly protected flash memory. Anyone with access to an IoT device and some basic knowledge of hacking hardware can easily access the firmware and search for data, including vulnerabilities, the exploitation of which allows attacks on similar devices without requiring physical access.
In his speech, Rogers outlined several approaches available to hackers to extract confidential information and gain control over an IoT device. One of the easiest ways is to access the Universal Asynchronous Receiver / Receiver (UART), which is used for diagnostic and debug reporting in all IoT products, among other things. An attacker can use the UART to gain root access to the shell of an IoT device, and then download firmware and identify vulnerabilities.
Another, slightly more complex, way is through JTAG, a microcontroller-level interface that is used for a variety of purposes, including testing integrated circuits and programming flash memory. As with the UART, an attacker with JTAG access could alter the flash memory, access debugging tools, and extract other sensitive information about the device.