A security researcher who disclosed flaws impacting 2 million IoT devices in April – and has yet to see a patch or even hear back from the manufacturers contacted – is sounding off on the dire state of IoT security.
More than 2 million connected security cameras, baby monitors and other IoT devices have serious vulnerabilitiesvulnerabilities that have been publicly disclosed for more than two months – yet they are still without a patch or even any vendor response.
Security researcher Paul Marrapese, who disclosed the flaws in April and has yet to hear back from any impacted vendors, is sounding off that consumers throw the devices away. The flaws could enable an attacker to hijack the devices and spy on their owners – or further pivot into the network and carry out more malicious actions.
“I 100 percent suggest that people throw them out,” he told Threatpost in a podcast interview. “I really, I don’t think that there’s going to be any patch for this. The issues are very, very hard to fix, in part because, once a device is shipped with a serial number, you can’t really change that, you can’t really patch that, it’s a physical issue.”
Marrapese said that he sent an initial advisory to device vendors in January, and after coordinating with CERT eventually disclosed the flaws in April due to their severity. However, even in the months after disclosure he has yet to receive any responses from any impacted vendors despite multiple attempts at contact. The incident points to a dire outlook when it comes to security, vendor responsibility, and the IoT market in general, he told Threatpost.
“I wish I was more optimistic about it truly,” he said. “Security, I mean, it’s an industry wide issue, where a lot of companies don’t really know how to properly threat model and how to properly test their products or how to properly architect these things …But even if that’s the case, what’s more troubling is when the vulnerabilities are inevitably discovered, there’s no response. I’ve heard from a lot of other researchers, basically the exact same story that I went through where an issue was discovered, and they tried to reach out to them and just got absolute radio silence or total denial.”