An IoT device requires attention beyond the initial setup. A “set it and forget it” approach is risky. Technology keeps changing, product support is ephemeral, and hackers constantly find new security holes to take control of them.
The security experts’ long-repeated warnings about installing the latest firmware versions available for your IoT devices often fall on deaf ears. As long as the gadget behaves as expected, refreshing its software is rarely on the to-do list. A compromised system, though, does not always show signs you can easily see and interpret.
Cybercriminals mainly take control of insecure IoT devices to use for denial-of-service (DoS) attacks, leaving the owner unaware of the illegal use of the gadget. Sometimes, though a compromised connected system can directly affect the owners and their digital assets.
Network-attached storage (NAS) servers, for instance, can be attacked with ransomware to encrypt the files they hold. Recovering the data is often possible only by paying the crooks for a decryption key. The most recent attacks against NAS systems targeted QNAP products with old software or poorly protected access.
At least three pieces of malware (QSnatch, and ransomware strains Muhstik and eCh0raix), have been seen targeting QNAP systems that had weak passwords. Free decryptors are available for some variants of the file-encrypting threats, and QNAP recommends updating software on the device to avoid QSnatch attacks.
However, keeping your IoT updated is not always possible. The device may still have life in it after the manufacturer discontinues support. Vulnerabilities are often reported for products that have fallen out of the vendor’s grace. New software is no longer be available for them, so there is no hope of patching them.
An alert from the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. recommends users and administrators replace end-of-life (EoL) products. The advice comes after researchers found a remote command execution vulnerability in several D-Link routers that are no longer in the vendor’s support cycle.
D-Link routers are not the only example of vulnerable products that remain unpatched. The NCC Group recently disclosed two security flaws in Alcatel Flip 2 phones that would remain unaddressed because the products have been discontinued. While these devices represent a different era of mobile technology, companies still use them.
Upgrading to new devices that receive vendor support is recommended in such cases. Unfortunately, learning when an IoT gadget reaches EoL is not easy, especially for consumers who would have to check manually every once in a while. If replacing old gadgets is not feasible at the moment, at least find a way to not expose them on the internet.
Image credit: Alexas_Fotos