IoT
8/21/2018
09:00 AM
100%
0%

7 Serious IoT Vulnerabilities

A growing number of employees have various IoT devices in their homes - where they're also connecting to an enterprise network to do their work. And that means significant threats loom.
Previous
1 of 8
Next

The security of Internet of Things (IoT) devices, especially those intended for consumer use, tends to fall on a spectrum between "serious concern" and "industry joke." Yet the fact is that a growing number of employees have various IoT devices in their homes — where they also could be connecting to an enterprise network to do their work. And that means significant threats loom, both to and through the IoT.

Some threats attack the unique nature of IoT devices. Others take aim at the application ecosystem surrounding them. Still others are the result of configuration errors that stem from  user inexperience or system limitation. In any case, each threat can lead to loss of privacy, loss of control, or recruitment of the devices into a network controlled by someone other than the owner.

Industrial IoT devices are subject to the same ills. When considered alongside the IoT systems owned by employees, they represent a second major threat surface.

So how do you protect against this dual front of security risks? Each vulnerability has a particular remediation, but there's one overarching them: Treat IoT devices and systems like the computers they are. When the same expectations and discipline are applied to the IoT as to commercial computing systems, vulnerabilities begin to be closed.

Have you built an IoT system for a residence? How did you secure the devices? Are you dealing with IoT systems at your employees' homes? How much responsibility for security do you take? Share your thoughts in the comments, below.

(Image: metamorworks)

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A96.uk
67%
33%
A96.uk,
User Rank: Apprentice
8/22/2018 | 2:44:30 AM
Securing IoT
We don't build IoT with software security anymore, unless we are stupid.

IoT gateways/hubs are the only part that talk to the Internet via TCP/UDP/IP normally with MQTT over HTTPS.

Not only do we use Internet security poor models but also hardware security in the form of SAML11 & Atmel 508a/608a. These chipsets allow public key cryptography in hardware.

We would IDIOT's design a IoT system with poor software security like LoRaWAN.

This system can be cloned on TTN. It uses fixed symmetric keys for each device that they need to store inb a database. IDIOT's designed it.

For education please read up on FIDO/FIOD2 for U2F security tokens for humans also.

Security has been solved, time to hand the keys to the machine.

 

https://www.switchedonscotland.com/

https://a96.uk/

 

 

WAKE UP SHEEP

 
How Cybercriminals Clean Their Dirty Money
Alexon Bell, Global Head of AML & Compliance, Quantexa,  1/22/2019
Facebook Shuts Hundreds of Russia-Linked Pages, Accounts for Disinformation
Sara Peters, Senior Editor at Dark Reading,  1/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-15720
PUBLISHED: 2019-01-23
In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.
CVE-2017-17835
PUBLISHED: 2019-01-23
In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.
CVE-2017-17836
PUBLISHED: 2019-01-23
In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature displayed authenticated cookies, as well as passwords to databases used by Airflow. An attacker who has limited access to airflow, weather it be via XSS or by leaving a machine unlocked can exfil all credentials from the system.
CVE-2018-15614
PUBLISHED: 2019-01-23
A vulnerability in the one-x Portal component of IP Office could allow an authenticated user to perform stored cross site scripting attacks via fields in the Conference Scheduler Service that could affect other application users. Affected versions of IP Office include 10.0 through 10.1 SP3 and 11.0 ...
CVE-2018-20245
PUBLISHED: 2019-01-23
The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking.