What IoT Devices from the Trash Reveal about Their Former Owners

 By Patrick Gebhardt
Mar 11, 2019 • 4 minute read

Smart, networked devices such as app-controlled surveillance cameras and light bulbs can be easily hacked. Especially with cheap IoT gadgets, the password is often fixed in the firmware and cannot be changed. Here follows a short anecdote about the sheer insanity of IoT uncertainty, followed by the top 10 vulnerabilities of IoT devices defined by OWASP.

What should you do with old IoT devices that bore you, that don't work anymore or that you don't use for any other reason? Throw them in the trash can, right? Wrong! 

A detailed investigation by Limited Results has shown that IoT devices can still reveal sensitive data even after being thrown away. The hobbyists put several smart light bulbs into operation and then dismantled them; they then removed the circuit boards and tried to read them out. The result: almost the same security gaps were found in all lamps. In all cases, the data was completely unencrypted, and even the WLAN password used by the user could be read. One of the devices is even said to have revealed a private key for RSA encryption. This relatively simple procedure means that at least the WLAN is open to hackers when they grab such a device from the trash can.

But do you have to be an utter specialist to extract useful information out of the devices? Apparently not. The equipment tested was so poorly programmed and built that it is easy for reasonably experienced people to access sensitive information - even though this problem has been known for years and has been exploited countless times for attacks. 

OWASP, the Open Web Application Security Project, has compiled a list of 10 points for the past year that represent the greatest dangers in IoT networks based on IoT devices. This list is as follows:

  1. Weak Guessable, or Hardcoded Passwords
  2. Insecure Network Services
  3. Insecure Ecosystem Interfaces
  4. Lack of Secure Update Mechanism
  5. Use of Insecure or Outdated Components
  6. Insufficient Privacy Protection
  7. Insecure Data Transfer and Storage
  8. Lack of Device Management
  9. Insecure Default Settings
  10. Lack of Physical Hardening

Once again the danger of an inadequate password protection of IoT devices becomes apparent. At the end of last year, a law was passed in the US state of California regulating the security of networked devices. In particular, it is planned that from 2020 devices will no longer be allowed to be delivered with standard passwords. Whether and when similar legal regulations will become the standard is unclear.