Monday, December 1, 2014

Netiquette IQ Security Blog On Vulnerabilities On The Internet of Things

In this blog, I have spoken about the Internet of Things. There is, of course, tremendous promise and potential. However, the amount of security headaches could possibly dwarf the number of incidents which we are now experiencing. It will be beneficial for all of us to keep active in our knowledge.
===============================================



Researchers find about 25 security vulnerabilities per Internet of Things
90% of the devices collected personal info from the device, its connected cloud service or its mobile app. That might be fine to feed in your name, address, date of birth, health stats or credit card number if your sensitive info were encrypted when it was transmitted. But 70% used unencrypted network services to transmit data. The researchers pointed out that “the lack of using transport encryption compounds the problem when you consider that the data is passed between the device, the cloud and the app.” HP asked, “Do these devices really need to collect this personal information to function properly?”
Six out of 10 devices with web interfaces were riddled with security vulnerabilities ranging from persistent cross-site scripting (XSS), to poor session management to weak default credentials. The researchers wrote, “We identified a majority of devices along with their cloud and mobile counterparts that enable an attacker to determine valid user accounts using mechanisms such as the password reset features. These issues are of particular concern for devices that offer access to devices and data via a cloud website.”
While I’d love to believe people know better than to use a password like “1234,” HP said that a whopping 80% of IoT devices with their accompanying mobile components and cloud services suffer from insufficient authorization. Most fail to require sufficient password length and complexity, allowing pathetic passwords like “1234” or “123456.” Does that really strike anyone as “smart” control for their “smart” device that is in their home or business?
60% of the devices did not use encryption when downloading software or firmware updates. “In fact some downloads were intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.”
The good news is that it’s not rocket science for manufacturers to put security fixes in place to remove “low hanging fruit” vulnerabilities. Vendors who do not want to leave users susceptible to attack should conduct security reviews of the devices, apps and cloud services. Testing should include “automated scanning of your web interface, manual review of your network traffic, reviewing the need of physical ports such as USB, reviewing authentication and authorization and reviewing the interactions of the devices with their cloud and mobile application counterparts.”
Vendors, unless you plan to give away your IoT devices for free, then understand your customers are not paying for those devices so you can blow off protecting their privacy and leave them susceptible to being hacked.
============================================
In addition to this blog, I have authored the premiere book on Netiquette, "Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
 www.amazon.com/author/paulbabicki
 If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and  PSG of Mercer County New Jersey.

==========================================