Telnet Backdoor Vulnerabilities Impact Over A Million IoT Radio Devices

It has been reported that that critical vulnerabilities have been discovered in Telestar Digital GmbH Internet of Things (IoT) radio devices that permit attackers to remotely hijack systems. Today, Vulnerability-Lab researcher Benjamin Kunz disclosed the firm’s findings, of which two CVEs have been assigned, CVE-2019-13473 and CVE-2019-13474.


EXPERTS COMMENTS
Tim Mackey, Principal Security Strategist,  Synopsys CyRC
September 10, 2019
oT security is a critical element in which creators of these products need to invest.
The pattern behind these disclosures is reminiscent of how the template used in the original Mirai botnet attack was designed, using an open Telnet port with weak security to perform external actions, including port forwarding. IoT security is a critical element in which creators of these products need to invest. The principle of least privilege should apply to all internet-facing devices and involves: no open ports unless absolutely required and documented no weak passwords all external accesses, including remote update models, documented commitment to security updates aligned to the user expectation for the device lifespan While the latter element isn’t truly part of a principle of least privilege, it does provide consumers with a level of confidence that the vendor takes security seriously enough to invest in it. Interestingly, the use of weak default passwords as we see here will no longer be legal under California law starting January 1, 2020. Enacted in 2018, Title 1.81.26 section 1798.91.04 of the California Civil Code states that connected devices must implement reasonable security measures ‘Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure ’ and specifically requires that devices have either a unique password per device or have an out-of-the-box experience which requires users to set their own passwords.

Join the Conversation

Join the Conversation


In this article