===============================================
Researchers find about
25 security vulnerabilities per Internet of Things
90% of the devices
collected personal info from the device, its connected cloud service or its
mobile app. That might be fine to feed in your name, address, date of birth,
health stats or credit card number if your sensitive info were encrypted when
it was transmitted. But 70% used unencrypted network services to transmit data.
The researchers pointed out that “the lack of using transport encryption
compounds the problem when you consider that the data is passed between the device,
the cloud and the app.” HP asked, “Do these devices really need to collect this
personal information to function properly?”
Six out of 10 devices
with web interfaces were riddled with security vulnerabilities ranging from
persistent cross-site scripting (XSS), to poor session management to weak
default credentials. The researchers wrote, “We identified a majority of
devices along with their cloud and mobile counterparts that enable an attacker
to determine valid user accounts using mechanisms such as the password reset
features. These issues are of particular concern for devices that offer access
to devices and data via a cloud website.”
While I’d love to
believe people know better than to use a password like “1234,” HP said that a
whopping 80% of IoT devices with their accompanying mobile components and cloud
services suffer from insufficient authorization. Most fail to require
sufficient password length and complexity, allowing pathetic passwords like
“1234” or “123456.” Does that really strike anyone as “smart” control for their
“smart” device that is in their home or business?
60% of the devices did
not use encryption when downloading software or firmware updates. “In fact some
downloads were intercepted, extracted and mounted as a file system in Linux
where the software could be viewed or modified.”
The good news is that
it’s not rocket science for manufacturers to put security fixes in place to
remove “low hanging fruit” vulnerabilities. Vendors who do not want to leave
users susceptible to attack should conduct security reviews of the devices,
apps and cloud services. Testing should include “automated scanning of your web
interface, manual review of your network traffic, reviewing the need of
physical ports such as USB, reviewing authentication and authorization and
reviewing the interactions of the devices with their cloud and mobile
application counterparts.”
Vendors, unless you plan
to give away your IoT devices for free, then understand your customers are not
paying for those devices so you can blow off protecting their privacy and leave
them susceptible to being hacked.
============================================
In addition to this blog, I have authored the premiere book on Netiquette, "Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and PSG of Mercer County New Jersey.
.jpg)
In addition to this blog, I have authored the premiere book on Netiquette, "Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:
www.amazon.com/author/paulbabicki
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and PSG of Mercer County New Jersey.
==========================================
No comments:
Post a Comment