IoT security is getting worse, not better: researchers

Credit: Illustration 149861933 © Aliaksandra Sitkouslaya –

Manufacturers of network equipment may be claiming better security in their Internet of Things (IoT) devices, but those claims have been refuted during new testing of 13 small-office home office (SOHO) routers and networked-storage devices that identified 125 new vulnerabilities.

The work, conducted by security-testing firm Independent Security Evaluators (ISE) and documented in the SOHOpelessly Broken 2.0 report, updated a 2013 evaluation of IoT security that identified 52 new vulnerabilities.

The testers were eager to see how much better vendors’ IoT security had become in the intervening six years, and evaluated fully-updated devices produced for both consumer and enterprise use by manufacturers including Buffalo, Synology, TerraMaster, Zyxel, Drobo, Asustor, Seagate, QNAP, Lenovo, ASUS, Netgear, TOTOLINK, and Xiaomi.

Evaluation of their security revealed a number of common weak spots, with all 13 tested devices having at least one web application vulnerability – including cross-site scripting, OS command injection, or SQL injection – in their out-of-the-box configuration.

Researchers were able to get root access on 12 of the devices and noted that six units can be “remotely exploited without authentication”.