"Essentially you could call those debugging interfaces 'unintentional back doors' because of the level of access that they give," Creighton said. "If you have access to the local network that these devices are running on, then you can use standard debugging tools to connect to that service and run commands on it and completely bypass any password or authentication. I'm sure that's important for the manufacturers to do development and testing, but it should not be on in the real world."
No need to panic
Despite the findings, Creighton cautions that these vulnerabilities aren't catastrophic. "All of these are the same type of flaws we find in analyzing applications every day," he said. "There's nothing in here that's Heartbleed-esque, that's going to blow up everybody's devices tomorrow. If we'd found something that was exploitable on a mass scale, we'd have made sure it had gotten fixed before mentioning it at all. But that doesn't mean there aren't risks here."
And the companies involved have proven relatively receptive to learning about their products' vulnerabilities. "We've reached out to these companies and let them know the details of these flaws we found, and we're working with them to get them fixed if they're interested," Creighton said. "The fact is, flaws happen to everybody, and the companies that tend to do the best in modern times are the ones that can rapidly respond."
Sign up for CIO Asia eNewsletters.