2 min read

Understanding IoT Vulnerabilities: Climbing the Privilege Ladder Comes with Serious Risks

Bitdefender

October 23, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Understanding IoT Vulnerabilities: Climbing the Privilege Ladder Comes with Serious Risks

You may think you are in full control of the connected devices on your home network, but this is not always the case. IoT gadgets come with multiples levels of access that grant rights for specific actions. Hackers know that, after they breach a smart product, they may need a higher clearance to run their modifications. Moving towards a less restrictive position on the system is known as “privilege escalation.”

A smart door lock, typically has more than one user, but not all of them have the same permission. Someone with an administrator account can receive alerts when a valid code is entered to access the property. This person also has the power to revoke, disable or generate new access codes. Alternatively, permissions for other accounts may be restricted to using the lock/unlock codes and checking the battery level of the device.

Privilege escalation vulnerabilities are security flaws that allow access to resources not normally permitted to the type of user attempting to examine or modify them. If hackers get control of an account with fewer rights, they can use this type of bug to run tasks as if they were the administrator, and potentially take over the device.

In less abstract terms, a hack followed by privilege escalation would be similar to Rob, the thief, getting past the security check at an office building. He could pose as a distracted employee who forgot his badge or just slip unnoticed. Inside the offices, the thief has the same permissions as any other employee in the room. He can use the water machine, or go to the kitchen and make himself a sandwich.

From there, Rob could try to get to more sensitive areas – even those with a “Do Not Enter” sign, as long as they are not locked or protected in a way he can’t subevert. Rob will be able to roam that restricted space and potentially access corporate computers, changing documents and reports or stealing information.

Intruders could follow an analogous path on a connected device and obtain rights that would put them in charge of the system. In many cases, privilege escalation goes hand in hand with arbitrary code execution flaws, because hackers usually need more rights to run scripts or commands on the target.

Applying the latest patches for IoT devices in the house is a good way to stay protected. If you want to know whether a connected gadget on the network has known vulnerabilities, Bitdefender Home Scanner can identify it and report its current security status. With Bitdefender BOX, however, the protection is in real time as the device analyzes the network traffic in real time and blocks communication to malicious addresses.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read