It is no secret that the implementation of security mechanisms for IoT devices is far from perfect. Known categories of vulnerabilities in smart devices are well documented in Top IoT Vulnerabilities from 2018. The previous version of the document from 2014 has undergone many changes: some points have disappeared completely, others have been updated, and new ones have appeared.
To show the relevance of this list, we found examples of vulnerable IoT devices for each type of vulnerability. Our goal is to demonstrate the risks that smart device users face on a daily basis.
Vulnerable devices can be completely different - from children's toys and alarms to cars and refrigerators. Some devices are found on our list more than once. All this, of course, serves as an indicator of the low level of security of IoT devices in general.
.
I1 ,
, (, ) , , .
| CWE | |||
|---|---|---|---|
 |
Routers Netgear | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') | , , DNS . |
 |
Loxone Smart Home | CWE-261: Weak Encoding for Password | , , . |
|
AGFEO smart home ES 5xx/6xx | CWE-261: Weak Encoding for Password | , , . |
 |
Industrial wireless access point Moxa AP | CWE-260: Password in Configuration File | - , , . |
 |
Heatmiser Thermostat | CWE-260: Password in Configuration File | - , , . |
 |
Digital video recorder Mvpower | CWE-521: Weak Password Requirements | , . |
 |
DBPOWER U818A WIFI quadcopter drone | CWE-276: Incorrect Default Permissions | , . |
|
Nuuo NVR (network video recorder) and Netgear | CWE-259: Use of Hard-coded Password | , , - . |
 |
Vacuum Cleaner LG | CWE-287: Improper Authentication | . |
 |
Eminent EM6220 Camera | CWE-312: Cleartext Storage of Sensitive Information | 123456, . |
 |
LIXIL Satis Toilet | CWE-259: Use of Hard-coded Password | Bluetooth , . |
 |
FUEL Drill | CWE-259: Use of Hard-coded Password | . |
|
Billion Router 7700NR4 | CWE-798: Use of Hard-coded Credentials | . |
 |
Canon Printers | CWE-269: Improper Privilege Management & CWE-295: Improper Certificate Validation | , . |
|
Parrot AR.Drone 2.0 | CWE-285: Improper Authorization | - . |
|
Camera Amazon Ring | CWE-285: Improper Authorization | . |
I2
( ) , / .
| CWE | |||
|---|---|---|---|
 |
Smart Massager | CWE-284: Improper Access Control | , . |
|
Implantable Cardiac Device | CWE-284: Improper Access Control | , / . |
|
Hikvision Wi-Fi IP Camera | CWE-284: Improper Access Control | . |
|
Foscam C1 Indoor HD Cameras | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | . |
 |
Toy Furby | CWE-284: Improper Access Control | . |
|
Toy My Friend Cayla | CWE-284: Improper Access Control | . |
 |
iSmartAlarm | CWE-20: Improper Input Validation | "" , . |
|
iSPY Camera Tank | CWE-284: Improper Access Control | . |
 |
DblTek GoIP | CWE-598: Information Exposure Through Query Strings in GET Request | . |
|
Nuuo NVR (network video recorder) and Netgear | CWE-259: Use of Hard-coded Password | , . |
|
Sony IPELA Engine IP Cameras | CWE-287: Improper Authentication | , Mirai . |
|
iSmartAlarm | CWE-295: Improper Certificate Validation | SSL-. |
|
Routers Dlink 850L | CWE-798: Use of Hard-coded Credentials | - . |
 |
Amazon’s Ring Video Doorbell | CWE-419: Unprotected Primary Channel | . |
|
Cacagoo IP camera | CWE-287: Improper Authentication | , . |
|
Trifo Ironpie M6 Vacuum cleaner | CWE-284: Improper Access Control | . |
I3
API, , , . : /, , /.
| CWE | |||
|---|---|---|---|
|
Industrial wireless access point Moxa AP | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | , . |
|
AXIS cameras | CWE-20: Improper Input Validation | , . |
|
Belkin’s smart home products | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') & CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | . |
|
Routers D-Link DIR-300 | CWE-352: Cross-Site Request Forgery (CSRF) | . |
|
AVTECH IP Camera, NVR, DVR | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CSRF (, ). |
|
AGFEO smart home ES 5xx/6xx | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | , . . |
|
Loxone Smart Home | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | -. |
 |
Switch TP-Link TL-SG108E | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | XSS- "" Javascript- . |
|
Hanbanggaoke IP Camera | CWE-650: Trusting HTTP Permission Methods on the Server Side | . |
|
iSmartAlarm | CWE-287: Improper Authentication | , . |
 |
Western Digital My Cloud | CWE-287: Improper Authentication | . |
 |
In-Flight Entertainment Systems | CWE-287: Improper Authentication | . , (, .). |
 |
Smart key KeyWe | CWE-327: Use of a Broken or Risky Cryptographic Algorithm | , . |
I4
. , ( ), , , , .
| CWE | |||
|---|---|---|---|
|
Devices by GeoVision | CWE-295: Improper Certificate Validation | . |
|
Canon Printers | CWE-295: Improper Certificate Validation | : / . |
|
Smart Nest Thermostat | CWE-940: Improper Verification of Source of a Communication Channel | , . |
I5
/ , - . , .
| CWE | |||
|---|---|---|---|
 |
Amazon Echo | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Control | , . |
 |
Light bulb | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls | . |
I6
, , .
| CWE | |||
|---|---|---|---|
 |
Gator 2 smartwatch | CWE-359: Exposure of Private Information ('Privacy Violation') | , IMEI, , (GPS/Wi-Fi), . |
|
Routers D-Link DIR-600 and DIR-300 | CWE-200: Information Exposure | . |
 |
Samsung Smart TV | CWE-200: Information Exposure | , . |
|
Home security camera | CWE-359: Exposure of Private Information ('Privacy Violation') | . |
 |
Smart sex toys We-Vibe | CWE-359: Exposure of Private Information ('Privacy Violation') | . |
|
iBaby M6 baby monitor | CWE-359: Exposure of Private Information ('Privacy Violation') | , . |
I7
– , .
| CWE | |||
|---|---|---|---|
|
Owlet Wi-Fi baby heart monitor | CWE-201: Information Exposure Through Sent Data | . |
 |
Samsung fridge | CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') | Google- . |
 |
Volkswagen car | CWE CATEGORY: Cryptographic Issues | . |
 |
HS-110 Smart Plug | CWE-201: Information Exposure Through Sent Data | , , . |
|
Loxone Smart Home | CWE-201: Information Exposure Through Sent Data | , , . |
|
Samsung Smart TV | CWE-200: Information Exposure | , . |
|
Routers Dlink 850L | CWE-319: Cleartext Transmission of Sensitive Information | . |
 |
Skaterboards Boosted, Revo, E-Go | CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') | , . |
|
LIFX smart LED light bulbs | CWE-327: Use of a Broken or Risky Cryptographic Algorithm | , . |
|
Stuffed toys | CWE-521: Weak Password Requirements | , . |
|
IoT Smart Deadbolt | CWE-922: Insecure Storage of Sensitive Information | , . |
|
Router ASUS | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | . |
I8
, , , , , .
| CWE | |||
|---|---|---|---|
|
TP-LINK IP Surveillance Camera | CWE-? ( CWE) | , . |
I9
, , .
| CWE | |||
|---|---|---|---|
 |
ikettle Smarter Coffee machines | CWE-15: External Control of System or Configuration Setting | - , , . |
|
Parrot AR.Drone 2.0 | CWE-284: Improper Access Control | . |
|
HP Fax machine | CWE-276: Incorrect Default Permissions | . |
|
Smart speakers | CWE-1068: Inconsistency Between Implementation and Documented Design | , , . |
I10
, .
| CWE | |||
|---|---|---|---|
|
Baby monitors Mi-Cam | CWE-284: Improper Access Control | . |
|
TOTOLINK router | CWE-20: Improper Input Validation | . |
|
Router TP-Link | CWE-284: Improper Access Control | UART. |
|
Smart Nest Thermostat | CWE-284: Improper Access Control | USB UART. |
|
Blink XT2 Sync Module | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls | . |
|
Amazon Echo | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls | , . |
, . IoT-, . IoT- , : Safegadget, Exploitee Awesome IoT Hacks
, OWASP, , IoT- . . , , , .
(IoT). . , IoT- , , .
IoT- , . : , . – IoT- , , . OpenWrt, IoT-, , "" .
IoT . , (, ).