Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
8/21/2018
09:00 AM
100%
0%

7 Serious IoT Vulnerabilities

A growing number of employees have various IoT devices in their homes - where they're also connecting to an enterprise network to do their work. And that means significant threats loom.
Previous
1 of 8
Next

The security of Internet of Things (IoT) devices, especially those intended for consumer use, tends to fall on a spectrum between "serious concern" and "industry joke." Yet the fact is that a growing number of employees have various IoT devices in their homes — where they also could be connecting to an enterprise network to do their work. And that means significant threats loom, both to and through the IoT.

Some threats attack the unique nature of IoT devices. Others take aim at the application ecosystem surrounding them. Still others are the result of configuration errors that stem from  user inexperience or system limitation. In any case, each threat can lead to loss of privacy, loss of control, or recruitment of the devices into a network controlled by someone other than the owner.

Industrial IoT devices are subject to the same ills. When considered alongside the IoT systems owned by employees, they represent a second major threat surface.

So how do you protect against this dual front of security risks? Each vulnerability has a particular remediation, but there's one overarching them: Treat IoT devices and systems like the computers they are. When the same expectations and discipline are applied to the IoT as to commercial computing systems, vulnerabilities begin to be closed.

Have you built an IoT system for a residence? How did you secure the devices? Are you dealing with IoT systems at your employees' homes? How much responsibility for security do you take? Share your thoughts in the comments, below.

(Image: metamorworks)

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A96.uk
67%
33%
A96.uk,
User Rank: Apprentice
8/22/2018 | 2:44:30 AM
Securing IoT
We don't build IoT with software security anymore, unless we are stupid.

IoT gateways/hubs are the only part that talk to the Internet via TCP/UDP/IP normally with MQTT over HTTPS.

Not only do we use Internet security poor models but also hardware security in the form of SAML11 & Atmel 508a/608a. These chipsets allow public key cryptography in hardware.

We would IDIOT's design a IoT system with poor software security like LoRaWAN.

This system can be cloned on TTN. It uses fixed symmetric keys for each device that they need to store inb a database. IDIOT's designed it.

For education please read up on FIDO/FIOD2 for U2F security tokens for humans also.

Security has been solved, time to hand the keys to the machine.

 

https://www.switchedonscotland.com/

https://a96.uk/

 

 

WAKE UP SHEEP

 
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.