NETGEAR and cybersecurity firm Bitdefender have released a report detailing cybersecurity threats that could impact connected devices and smart home systems, with smart TVs, networking devices, surveillance systems and smart plugs making up the most vulnerable device types.
The report, the 2024 IoT Security Landscape Report, is the culmination of an investigation of about 50 million IoT devices generating more than 9.1 billion security events around the world to uncover vulnerabilities and attack scenarios in smart home systems.
There are 21 connected devices per household globally, and home network devices see an average of 10 attacks every day, the companies claim. The majority of incidents are botnets, in which attackers compromise devices and use them to send traffic to overwhelm systems in what is known as a DDOS (distributed denial-of-service) attack.
The report looks at the most frequently seen vulnerabilities and the most popular vulnerable devices. According to the study, the most popular devices are smart TVs or streaming devices, mobile phones, computers, gaming consoles and other devices such as light switches, bulbs and more.
Going further, the highest number of cybersecurity vulnerabilities among smart home systems were in fact discovered in smart TVs at 34%.
Lightapalooza took place in late February, and the growth of the event has mirrored the rapid ascension lighting fixtures and controls.
“Vulnerabilities in TVs are quite common, largely due to their extended lifespan and the tendency for manufacturers to discontinue support while the devices are still in use,” the report notes.
Surprisingly, smart plugs were next at 18%, followed by DVRs at 13%, routers at 12%, set-top boxes at 5%, and others such as NAS, home automation systems, extenders, media players and cameras making up the remainder.
NETGEAR and Bitdefender, which offers cybersecurity solutions designed for smart homes, also look at the total number of vulnerabilities by device count, with smart TVs again first at 31%, likely due to their immense popularity.
Routers have the second most known vulnerabilities at 24%, followed by IP cameras at 12%, DVRs at 7%, smart plugs and home automation at 6% each, and others making up the remainder.
According to the report, smart plugs and digital video recorders have substantial vulnerability counts relative to their respective device populations.
Despite being seemingly innocuous, smart plugs apparently have significant security weaknesses, and vulnerabilities in DVRs raise concerns about the security of video surveillance systems in both residential and commercial settings.
“These findings emphasize the need for manufacturers to prioritize security in the design and production of such devices, as they play integral roles in modern connected environments,” researchers write in the report.
The report notes that more sophisticated devices like smart TVs and DVRs may have higher vulnerability counts simply because they have more features, suggesting that the more features and functionalities a device has, the greater the potential for it to be a target.
Devices categorized under “home automation,” meanwhile, may have fewer vulnerabilities compared to others due to standardized security protocols and certifications in the home automation industry, the report says.
The report also looks at the types of cybersecurity vulnerabilities and attacks for each smart home device group, with denial-of-service attacks most commonly associated with smart TVs, (36.7%), smart plugs (22.2%), routers (13.4%), and set-top boxes (6.9%). Along with buffer overflow, denial of service vulnerabilities account for over half of all vulnerabilities and essentially lead to service disruptions.
TVs tend to have a higher percentage of overflow bugs compared to other devices, suggesting weaknesses in memory management or input validation mechanisms, the report notes.
Some vulnerabilities are more severe, such as overflow and privilege escalation, which are the second-most prevalent types across most device categories. These security bugs essentially allow attackers to execute arbitrary code or gain unauthorized access to device resources. While less common, these pose significant risks due to the potential to allow attackers to fully compromise devices.
The report also mentions memory corruption vulnerabilities that exploit weaknesses in memory management systems and contribute toward arbitrary code execution attacks.
Although changing default passwords and practicing other good password security habits are important, the overwhelming majority of exploitation attempts against IoT devices rely on vulnerabilities listed in the Common Vulnerabilities and Exposure system, which is maintained by the U.S.-funded MITRE Corporation.
In fact, 99.3% of all IoT attacks were exploitations of CVEs. Even more alarming is the severity of those vulnerabilities, as 68% of them are rated a 10, which is the most severe rating given by MITRE.
NETGEAR and Bitdefender anticipate increased regulatory focus on IoT security standards. In fact, the U.S. government is in the process of setting up the Cyber Trust Mark system, a voluntary labeling program that certifies the security of consumer IoT devices.
The tech companies also predict a growing emphasis on supply chain security for IoT devices due to the IoT ecosystem becoming increasingly reliant on third-party components and services.
Smart home manufacturers and vendors are also expected to increase their cybersecurity practices to maintain customer trust, the report says.
In the meantime, custom home integrators and their customers should follow several baseline cybersecurity practices to secure smart home systems:
Keep a list of IoT devices on the network and keep them updated as soon as an update is available. If they are out of support, replace them with newer models.
Isolate all smart devices to a separate network.
Use networking equipment or gateways with built-in security.
Use a smart home scanner to probe the home network for vulnerable devices.
Avoid exposing LAN devices to the internet unless necessary.
The post 2024 Lighting Controls and Fixtures Report appeared first on CEPRO.