Swisscom, der führende Telekommunikations- und Technologieanbieter in der Schweiz nutzt seit 2015 IoT Inspector, den europäischen Marktführer für IoT Sicherheitsanalysen aus Bad Homburg. Das deutsche Unternehmen bietet eine Web Interface basierte Lösung an, die es seinen Kunden ermöglicht, mit wenigen Klicks ihre IoT-Ausrüstung auf versteckte Probleme zu untersuchen. Der Dienstleister erspart seinem Kunden so mindestens 350 000 Euro bei jedem Rollout oder Update.
IoT Inspector: Security for millions of customers
Swisscom, with its approximately 20,000 employees and annual revenue of more than 10 billion euros, manages about two million IoT-enabled devices for other companies. In the process, the Group uses the IoT Inspector to check not only each of these firmwares, but also each update and market launch for possible vulnerabilities before implementation. Any gap in hotspots, repeaters and routers, no matter how small, would not only pose massive security risks for its customers. If such omissions were to become known, the entire Swisscom image could also suffer damage.
IoT Inspector: In search of years-old security vulnerabilities
Many users of IoT technology do not realize that even the newest devices can be based on deeply insecure software and hardware. Problems in basic systems that have been known for years are either not patched at all, patched inadequately, or patched as even bigger problems. Original equipment manufacturers, also known as OEMs, use components from a variety of suppliers for just about every IT system. Their equipment is rarely continuously checked for vulnerabilities. Providers such as Cisco, DD-WRT or Linksys, for example, still integrate insecure components from Broadcom, although their problem has been known since 2011 and a security patch has long been available.
IoT vulnerabilities exploited in just days
The Realtek vulnerability shows what problematic consequences this can have. Only two days after a security hole in one of their systems became known, analysts already reported the installation of this docking point in a darknet bot network. This means that 65 suppliers of products based on this Realtek chipset and hardware construction kit could be integrated into the criminal network in one fell swoop.
However, this case is just one of many in a sequence of similar incidents. In at least a dozen other incidents, similar vulnerabilities were exploited to spread malware. According to experts, the spammers are rarely able to build their own exploits for these vulnerabilities. But they usually only have to wait a few days for proof-of-concept (PoC) studies with prototypes from competitors to do so, so they can then incorporate them into their networks. The only hope that might remain for those affected is that the attackers do not yet know exactly how much damage they can cause and where with the discovered malfunction.
Supply chain check with the IoT Inspector
The developers of IoT Inspector have therefore been warning for some time that you should never blindly rely on the manufacturer’s specifications when purchasing and installing new hardware and software. You should always be aware that there may be unsolved problems hidden deep in the source codes and hardware structures. These would increasingly offer knowledgeable and experienced attackers gateways for manipulating settings, stealing data or even blackmail and destruction potential. The analyses therefore call for the establishment of supply chain security among producers and suppliers of IoT solutions in the form of secure product circuits and regular in-depth