Comments
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Newest First  |  Oldest First  |  Threaded View
stephen56
50%
50%
stephen56,
User Rank: Apprentice
3/17/2018 | 3:08:08 PM
IOT devices are insecure by design, not repair
Ugh. So much speculation and so few facts.  

First, anyone that has actuallty read the proposed legislation in 18 states would notice that the only information, firmware, parts, tools and diagnostics required are those ALREADY being provided to thousands of repair techs around the world. None of this information is secret, and most of it is arleady available illegally in asia.  Legislation is carefully targeted for the sole purpose of allowing legal competition for repair services at the choice of the owner. 

Even when the equipment being repaired is being used for a security function (such as a security camera), the application run on cpu within the camera is irrelevant to repair.   The camera either passes a signal correctly or it does not.  Someone has to repair the camera, and give it back to the owner.  Its the owner that cares about his or her security -- and its still the owner that gets to decide whom to trust for repair.  

If anyone has any doubts of the responsibility of the OEM to protect the security of the owner, just read the purchase contract closely,  Every contract always dislaims responsibility for how equipment is used and carefull limits their risk and potential damages in that contract.

As to actual cyber risk -- equipnent is either secure by design, or insecure.  Sadly, millions of IOT devices are being thrown into the marketplace with weak or absent security -- allowing botnets and other hacks to proliferate worldwide.  These devices are already up and running and attached to a network, unlike devices which are broken and offline.   Equipment under repair is among the most secure because its offline. 

Opponents to Right to Repair have gleefully suggested that consumers will lose personal data without any explaination of how that might happen.  We've yet to hear of anyone losing personal data as the result of an iPhone repair -- because Apple does an excellent job of security and encryption.  Apple has even stated publically that despite their source code being posted on the internet, personal security was never at risk. 

Happy to discuss any real examples of how repair as a business has made IOT devices less secure. 

 

 
ccashell
100%
0%
ccashell,
User Rank: Apprentice
3/12/2018 | 11:47:00 PM
Seriously? The misinformation is strong with this one.
Wow, there is a lot of misinformation, confusion, and good old fashioned "Fear, Uncertainty, and Doubt" (FUD) in this article.  It almost reads like a paid piece from a hardware manfuacturer.

I'm a little amazed that someone would write such a weak and unsubstatianted article in a time when Linux has become the foundation of most mobile and many IoT devices.  When every Android smartphone has it's base operating system source code available for anyone, your argument needs a lot more than vague hints and bad analogies to be reasonable.

The simple fact is that IoT devices are in such a horrible and sad state with regards to security that it's hard to imagine how it could get much worse.  Mandating that information is available for people and communities to attempt to improve or fix issues at least leads to options.

I want to write more, but it's just hard to even take this article seriously.


WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Mirai Hackers' Sentence Includes No Jail Time
Dark Reading Staff 9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17243
PUBLISHED: 2018-09-20
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.
CVE-2018-17232
PUBLISHED: 2018-09-20
SQL injection vulnerability in archivebot.py in docmarionum1 Slack ArchiveBot (aka slack-archive-bot) before 2018-09-19 allows remote attackers to execute arbitrary SQL commands via the text parameter to cursor.execute().
CVE-2018-17233
PUBLISHED: 2018-09-20
A SIGFPE signal is raised in the function H5D__create_chunk_file_map_hyper() of H5Dchunk.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17234
PUBLISHED: 2018-09-20
Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17235
PUBLISHED: 2018-09-20
The function mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp in libmp4v2 2.1.0 mishandles compatibleBrand while processing a crafted mp4 file, which leads to a heap-based buffer over-read, causing denial of service.