Light Dark
October 27, 2015 By Douglas Bonderud 3 min read

The Internet of Things (IoT) comes with inherent risk. Potential abounds — after all, always-connected devices offer big benefits for companies. But with each new device comes another endpoint and another inroad for determined attackers. According to SecurityWeek, the latest set of vulnerabilities stem from power quality measurement tools.

ICS-CERT noted that the products are used across multiple continents, and while some of the flaws have been remedied with a firmware update, others aren’t effectively fixed. Can companies power through these IoT problems, or is it time to flip the switch?

Hot and Cold Vulnerabilities

In March 2015, security firm Applied Risk discovered flaws in six power analyzers produced by Janitza Electronics: the UMG 508, 509, 511, 512, 604 and 605. When contacted, the firm was initially “hostile” and unwilling to discuss the results of any security testing but eventually changed its tune. As work progressed, however, Janitza stopped returning emails but eventually released a firmware update. The hot-and-cold attitude isn’t uncommon; vendors don’t like security problems stripped bare, even if they’re just one of many to experience similar issues. Many come on board to help mitigate IoT concerns but may back off once they feel problems are effectively contained.

When it comes to Janitza products specifically, three key flaws were identified: CVE-2015-3968, CVE-2015-3971 and CVE-2015-3972. The first deals with an undocumented default password used to access both an FTP service and Web interface. If attackers discovered the password, they could log in and then upload or download arbitrary files. CVE-2015-3971, meanwhile, allowed cybercriminals to exploit a remote debug interface on TCP Port 1239 to read and write files in addition to executing JASIC code, which, according to Applied Risk, let attackers “adjust system parameters, manipulate measurement values and change the function of the device.”

The final vulnerability demonstrates a problem with the power analyzers’ UMG Web interface: It has no default password. And while users can manually set a short PIN, there are no lockout mechanisms that prevent attackers from trying multiple character combinations until they crack it through brute force.

Tests were conducted using firmware version r4051, build 244. Janitza has now released r4061, build 269, but Applied Risk still recommended these devices be used only from behind a firewall using proper network segregation.

Watch the on-demand webinar to learn more about securing the internet of things

Welcome to the Party

Janitza’s devices have plenty of company in the arena of security risk. High-profile hacks on cars and medical devices have been conducted multiple times. Recently, Pen Test Partners found that it was possible to hack a new smart kettle on the market. Once compromised, attackers could gain access to Wi-Fi network keys and, in turn, everything on the network. Worst case? They could reroute network traffic and lock out all users. As noted by Dark Reading, more tech-focused devices, such as a common Belkin wireless repeater, are also hampered by multiple vulnerabilities.

What’s more, the lag time between diagnosis and remediation is often substantial: For Belkin it took eight months, while Janitza took seven to address its power analyzer problems. Bottom line? There’s an underlying issue with the IoT. While companies are eager to be first in their market niche to deliver always-connected devices, most build out security for these devices as if no such connection exists. They’re operating from a familiar, albeit outdated, model that requires physical links to enable Internet connection. The always-on nature of IoT devices, however, means they represent a persistent attack surface and must therefore be secured in the same way as critical network infrastructure.

Right now, companies are taking a page from “Fight Club: Rule No. 1 is to never talk about any IoT issues. A better idea is to blow the doors off old practices. Companies are dealing with common pain points, and in this case, sharing is the fastest, easiest way to improve IoT security.

 |  |  |  | 
Douglas Bonderud
Freelance Writer

More from

December 23, 2024

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature