Suggestions for Consumers Using IoT Products Containing Log4j

By Rebecca Herold

Last updated: December 28, 2021

Many of our Privacy and Security Brainiacs and Privacy Professor consultancy clients have asked for a simple description of the Log4j problems they’ve seen so much about in the news lately. Here are some key facts and advice we’ve provided to them.

What is the Log4j Vulnerability?

Summarized with extreme simplicity, the Log4j security vulnerability is ultimately a result of insufficient secure coding and/or testing practices for software that is used in billions of devices worldwide, that is now being actively exploited, causing a wide variety of security incidents and privacy breaches.

Log4j is an open source software application program, written in Java computer code by volunteers who are considered to be programming experts. Log4j is used to create activity logs for devices running on Apple, Windows, and Linux systems. The logs provide activity details for the associated devices that can be used to troubleshoot problems, track data within the devices from which Log4j is used, or for other purposes. Log4j has been used as the de facto logging code within a huge number of software programs throughout the world because the logs are extremely useful for troubleshooting software problems. And possibly even more reason it is so widely used is that, since it is an open source program, Log4j code is free to use.  

Log4j in IoT Products: Facts and Risks

Let’s consider just a few facts, and then associated risks that exist to IoT products and their users as a result of the Log4j vulnerability. First a few facts:

• Java is the most-used programming language for IoT app development and typically includes Log4j; reportedly controlling around three billion devices.
• Because the Log4j vulnerability is so easy to exploit, this puts the other devices within the IoT product ecosystem at risk. This includes the associated cloud services, apps, gateways, hubs, controllers, Wi-Fi networks and routers, and the other networks to which connections are made (businesses, online retail, banks, financial sites, social media, etc.). The impact is worldwide and usually reaches far beyond the IoT product where Log4j resides.
• The Log4J vulnerability allows unauthorized entities, such as hackers, snoops, and basically anyone else on the internet, to do actions such as: access the controls on IoT devices; allow remote code execution by unauthorized users; control, change or delete log messages; change, copy or delete data collected or derived by IoT devices; access other devices on the same networks to which the IoT products are connected. So, the impact to data and device use is significant.

IoT devices impact people’s lives worldwide. There are IoT devices that control, 1) temperatures in homes and other types of buildings; 2) personal assistants through voice-controls; 3) smart locks; 4) smoke and fire alarms; 5) smart electricity plugins; universal entertainment system remotes; 6) traffic lights; 7) Wi-Fi systems; 8) security systems; 9) garage door openers; 10) fitness trackers; 11) medical devices that are keeping people alive; 12) and an infinite list of other types of IoT devices.

Essentially, the Log4j vulnerability gives intruders a wide-open digital door, from wherever they are in the world, into your networks and devices. Once they are inside, they can wreak havoc by causing a wide range of harms: stealing, modifying, and deleting data; planting ransomware, malware, bots, spyware, and killware (which is a quickly growing concern); launching attacks on other networks from your devices, to cover their tracks and make it look like you were the attacker; bringing down networks and critical infrastructure to disrupt operations and disable systems that the public depends upon for safety and health.

Cybersecurity researchers are seeing cybercrooks actively targeting businesses to exploit the products that use Log4j to not only attack those businesses, but also use those business networks as gateways to the other businesses that are connected to the networks. They are also attacking the software itself to disrupt anyone who may be using the software. Given these facts, the potential harms from the risks are huge; from disruption of services, to the health and safety of people depending on them, to the data that is collected through them.

What IoT Product Consumers Can Do to Address the Log4j Vulnerability

It is ultimately the responsibility of the manufacturers of the software containing the Log4j vulnerability to fix those software products as soon as possible, and for IoT product providers to ensure their products are updated as soon as possible. But how quickly will they fix the products? That will vary from manufacturer to manufacturer, and product to product.

We encourage IoT product consumers (organizations as well as individuals), and all other types of software and hardware, to be proactive. If you are such a consumer:

• Determine the manufacturers and vendors for the IoT products you use.
• Go to the manufacturers’ and vendors’ websites. Check to see if they have posted information that explains if they use Log4j in their IoT products.
  1. If they do, they should also provide information about how they are fixing the vulnerability within their products.
  2. If they do not provide such information, then contact the manufacturers and/or vendors. Look for the contact information on their websites. If they don’t list contact information on their website, then check to see if they have provided a website specific to their IoT products; many do. Ask them the following questions. Document all the questions along with the date and time you asked them, the answers you are given, and the person’s name (first name is okay; someone for you to reference if you need to later) that provided you with the information:
     1. “Does your IoT product (provide them with the product name) use Log4j?”
     2. “How are you fixing the Log4j vulnerabilities?” Ask for details, and not some one-sentence answer like, “We’ll fix it soon.”
     3. “How will you let me know when your IoT product has had the Log4j vulnerability fixed?”

For more information…

• Listen to the January 8, 2022 episode of Data Security and Privacy with the Privacy Professor. The episode is, “Log4j is a result of poor coding & testing practices.” I will be speaking with security expert, Dr. Mich Kabay, who will provide many insights and recommendations for stemming the flood of similar types of software code security vulnerabilities.
• Read our free Privacy and Security flipbooks about IoT security and privacy:
  1. Cybersecurity for Grandparents Volume 4 – Securing Smart Homes
  2. Cybersecurity for Grandparents Volume 5 – Securing IoT On the Go
  3. Cybersecurity for Grandparents Volume 6 – Securing IoT in Organizations
• Purchase the next book in our “ Cybersecurity for Grandparents and Everyone Else!” series of books. It will be published in January 2022 and subtitled, “Q4 2021 Edition: IoT Security and Privacy.” Besides covering the wide range of IoT security and privacy risks, it also includes a section on Log4j, with related recommendations for IoT product consumers. We pushed back the publication time for the book so we could include the Log4j information since this is a significant issue with IoT products.
• Monitor or subscribe to notifications about updates to our Log4j news page, IoT news page, and our security, privacy, and compliance news page.

NOTE: 

Images above may have been created by us, were purchased, and the others, such as the Log4j logo, were used under the U.S. Fair Use statute; Section 107 of the Copyright Act. Privacy and Security Brainiacs is not associated with or sponsored by the trademark owners of the images used under Fair Use.