Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
8/21/2018
09:00 AM

7 Serious IoT Vulnerabilities

A growing number of employees have various IoT devices in their homes - where they're also connecting to an enterprise network to do their work. And that means significant threats loom.
2 of 8

1. Bad Web UIs

Everybody loves a good Web user interface. For IoT applications, they make controlling features and functions, setting up devices, and integrating devices into systems faster and easier tasks than they might otherwise be. The trouble is, they often bring to criminals the same ease of use.

The problems that vex IoT Web interfaces are, in most ways, the same problems that have plagued enterprise Web applications. While SQL injection is somewhat less of an issue in IoT applications, command injection, cross-site scripting, and cross-site request forgery are all programming flaws that can hand criminals ready access to devices and complete systems for controlling, monitoring, and accessing real-world operations.

Fortunately, the remedies for most of the Web UI security issues are the same as what has been preached to Web developers for years: Validate input, require strong passwords (and don't allow the default password to be used beyond the first stages of initial setup), don't expose credentials, limit password retry attempts, and make sure that password and user name recovery routines are robust. As Sam sang in Casablanca, "The fundamental things apply "

(Image: Breitformat VIA SHUTTERSTOCK)

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
A96.uk
67%
33%
A96.uk,
User Rank: Apprentice
8/22/2018 | 2:44:30 AM
Securing IoT
We don't build IoT with software security anymore, unless we are stupid.

IoT gateways/hubs are the only part that talk to the Internet via TCP/UDP/IP normally with MQTT over HTTPS.

Not only do we use Internet security poor models but also hardware security in the form of SAML11 & Atmel 508a/608a. These chipsets allow public key cryptography in hardware.

We would IDIOT's design a IoT system with poor software security like LoRaWAN.

This system can be cloned on TTN. It uses fixed symmetric keys for each device that they need to store inb a database. IDIOT's designed it.

For education please read up on FIDO/FIOD2 for U2F security tokens for humans also.

Security has been solved, time to hand the keys to the machine.

 

https://www.switchedonscotland.com/

https://a96.uk/

 

 

WAKE UP SHEEP

 
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3331
PUBLISHED: 2021-01-27
WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)
CVE-2021-3326
PUBLISHED: 2021-01-27
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2021-22641
PUBLISHED: 2021-01-27
A heap-based buffer overflow issue has been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22653
PUBLISHED: 2021-01-27
Multiple out-of-bounds write issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22655
PUBLISHED: 2021-01-27
Multiple out-of-bounds read issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).