It has been reported that that critical vulnerabilities have been discovered in Telestar Digital GmbH Internet of Things (IoT) radio devices that permit attackers to remotely hijack systems. Today, Vulnerability-Lab researcher Benjamin Kunz disclosed the firm’s findings, of which two CVEs have been assigned, CVE-2019-13473 and CVE-2019-13474.
The pattern behind these disclosures is reminiscent of how the template used in the original Mirai botnet attack was designed, using an open Telnet port with weak security to perform external actions, including port forwarding. IoT security is a critical element in which creators of these products need to invest. The principle of least privilege should apply to all internet-facing devices and involves:
no open ports unless absolutely required and documented
no weak passwords
all external accesses, including remote update models, documented
commitment to security updates aligned to the user expectation for the device lifespan
While the latter element isn’t truly part of a principle of least privilege, it does provide consumers with a level of confidence that the vendor takes security seriously enough to invest in it.
Interestingly, the use of weak default passwords as we see here will no longer be legal under California law starting January 1, 2020. Enacted in 2018, Title 1.81.26 section 1798.91.04 of the California Civil Code states that connected devices must implement reasonable security measures ‘Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure ’ and specifically requires that devices have either a unique password per device or have an out-of-the-box experience which requires users to set their own passwords.