International Cyber Expo International Cyber Expo
  • About Us
Wednesday, 8 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Threat Spotlight: IoT Application Vulnerabilities Leave IOT Devices Open To Attack.

by The Gurus
January 24, 2019
in Featured, The Internet of Things
Threat Spotlight: IoT Application Vulnerabilities Leave IOT Devices Open To Attack.
Share on FacebookShare on Twitter

IoT devices were popular gifts again this holiday season. An acronym for Internet of Things, IoT is more than a buzzword. The trend represents a huge shift in how products are made and used, as network connectivity is added to products that were not previously intended to have this functionality. So, your refrigerator that sends you a text message when you’re out of milk: IoT. Your thermostat that provides usage graphs on your phone: yep, IoT. Basically, any consumer device capable of connecting to a network other than a computer, phone, tablet, or router is considered an IoT device.

Security has been a big concern with IoT devices, though. Although improvements have been made, new types of vulnerabilities remain. For example, the Barracuda Labs teams recently used an IoT security camera to help illustrate a new threat: IoT credential compromise, which uses web and mobile application vulnerabilities to compromise IoT devices.

IoT securityHighlighted Threat:

IoT credential compromise — Attackers can use vulnerabilities in the web applications and mobile applications used by certain IoT devices to acquire credentials, which can then be used to view the video feed, set/receive/delete alarms, remove saved video clips from cloud storage, and read account information. Attackers can also use the credentials to push their own firmware update to the device, changing its functionality and using the compromised device to attack other devices on the same network.
The Details:

To illustrate this threat, the Barracuda Labs team recently conducted research on a connected security camera and identified multiple vulnerabilities in the camera’s web app and mobile app ecosystem:

Mobile app ignores server certificate validity
Cross-site scripting (XSS) in the web app
File traversal in a cloud server
User controls device update link
Device updates are not signed
Device ignores server certificate validity

Using these vulnerabilities, the team was able to perform the following attacks to acquire credentials and compromise an IoT device, all without a direct connection to the device itself.

Acquiring credentials from the mobile app

If an attacker can intercept traffic to the mobile app by using a compromised or hostile network, they can easily acquire the user password. Here’s how it works:

The victim connects to a compromised/hostile network with a mobile phone.
The connected camera app will try to connect to the vendor’s servers over https.
The hostile/compromised network will route the connection to the attacker’s server, which will use its own SSL certificate and proxy the communication to the
vendor’s server.
The attacker’s server now holds an unsalted, MD5 hash of the user password.
The attacker can also tamper the communication between the vendor’s server and the app.

Acquiring credentials from the web app

This type of attack relies on functionality that allows users to share device access to the connected camera with other users. To share a device, the receiver needs to have a valid account with the IoT vendor, and the sender needs to know the receiver’s username, which happens to be an email address.

The attacker will embed an XSS exploit in a device name and then share that device with the victim.
Once the victim logs into his account using the web app, the XSS exploit will execute and share the access token (which is stored as a variable on the web app)
with the attacker.
With that access token, the attacker can access the victim’s account and all its registered devices.

Through this research, the Barracuda Labs team managed to compromise an IoT device (connected camera) without any direct connection to the device itself. This makes life easier for attackers. No more scanning on Shodan for vulnerable devices. Instead, the attack will be performed against the vendor’s infrastructure. It’s a threat that could affect other types of IoT devices as well, regardless of their function, because it takes advantage of the way the device communicates with the cloud.

After all, bugs are not inherent to products, rather to processes, skills, and awareness of the developers. As access and access controls for IoT devices shifted to cloud services, so did the vulnerabilities, making possible the types of attacks uncovered by the Barracuda Labs team.

Lessons for IoT manufacturers

Vendors creating IoT solutions need to protect all aspects of the applications used to run those devices. IoT devices are sensors distributed in homes, schools, and offices, and they’re potential entry points for attackers. Each customer’s network is an opening to the server core and to other customers.

A web application firewall, one of the most critical protections IoT vendors need to put in place, is designed to protect servers from HTTP traffic at layer 7. Manufacturers also need to ramp up protection against network layer attacks and phishing.

Cloud security is also important, providing visibility, protection, and remediation of IoT applications and the infrastructures they run on. The potential for lateral-movement exposure is large and complex, so taking proper security precautions is key.

How to protect yourself as a consumer

When buying an IoT device, consumers need to think about security, in addition to convenience and, price. Here are a few tips to consider:

Research the device manufacturer — A few companies that produce IoT devices understand software security. Most are either existing companies whose expertise lies in making the physical products that are being connected or startups trying to bring devices to market as quickly as possible. In both cases, proper software and network security measures are often overlooked.
Look for existing vulnerabilities in a vendor’s other devices — If one device has a vulnerability, it’s likely other devices with similar features from the same company are also vulnerable. Ultimately, a vendor that has a history of secure devices will likely build secure devices going forward.
Evaluate responses to past vulnerabilities — If a vendor is responsive to people reporting a vulnerability and quickly resolves it with firmware update, it bodes well for their outlook on security and future products they make.

Unfortunately, the amount of information available about the security posture of IoT devices is astonishingly low. Ideally, we need to get a world where IoT products are all scored with a safety rating, just like cars. Consumers should be informed before they invest in IoT devices.

ShareTweet
Previous Post

CrowdStrike Recognized As The Highest-Ranking Vendor In The January 2019 Gartner Peer Insights Customers’ Choice For Endpoint Detection And Response Solutions.

Next Post

Ransomware attacks on cloud infrastructure exposed.

Recent News

Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

July 8, 2026
Kirsty Fowler, WorkNest Secure

Next Gen Spotlights: Building a More Resilient Future – Q&A with WorkNest Secure

July 8, 2026
Mike Winston on Why Jet.AI Shifted From Aviation to AI Infrastructure

Mike Winston on Why Jet.AI Shifted From Aviation to AI Infrastructure

July 7, 2026
George Murnane’s One-Question Test for Real AI

George Murnane’s One-Question Test for Real AI

July 7, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol