Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/10/2020
11:40 AM
Connect Directly
Twitter
RSS
E-Mail

6 Factors That Raise the Stakes for IoT Security

Developments that exacerbate the risk and complicate making Internet of Things devices more secure.
1 of 7

Image Source: Adobe (stokkete)

Image Source: Adobe (stokkete)

1 of 7
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
DavidS950U01
50%
50%
DavidS950U01,
User Rank: Apprentice
3/2/2020 | 1:08:42 AM
Question about IoT and smart communities; government duty to regulate and protect.
The article names deployments that could be attcked, such as factories, hospitals or body-connected IoT devices, and facilities. I am curious about the negative potentials presented in the smart communities scenarios. What are the dangers? Paralysis of IoT-dependent traffic control and surveillance, for example? And if not paralysis, what about misdirection (a la Stuxnet)?

Next: it's nice that government regulations will role out in 2020--but where? In this country? With the vaunted repeal of 1200 (and counting) "job-killing" regulations that were originally created to protect public health and safety, exactly which competent agency employees remain to do the regulating? (Think State Department, EPA, CDC, etc.) I think it prudent to write to our elected representatives and make the case for, let's say, following the European example.
lancop
100%
0%
lancop,
User Rank: Moderator
3/1/2020 | 12:38:10 PM
IoT Security will join Windows 7 as the latest additions to growing security vulnerabilities
You have brought up some excellent points in your article, and as I was just contemplating an Arduino-based IoT project my thoughts immediately turned directly to security concerns. An IoT device sitting right in the middle of several renewable energy generators and their live loads has the potential of becoming a very dangerous single point of failure should it get hacked by malicious threat actors. So, obviously my IoT technological considerations also have to include proactive security measures to shield the final product from 3rd party tampering.

The proliferation of IoT devices in all environments, both consumer & commercial, means that network administrators now have a whole new class of poorly managed, network-connected devices that also communicate to service provider servers that are in an unknown state of security preparedness. Service providers that will be creating & abandoning products on whatever timescales are necessary for them to remain profitable. Not a defensible battlefield where a CSO & Security Team have much of a chance against multiple, globalized attackers with the tactical advantage of needing only to suss out a single vulnerable device to gain a foothold inside the network.

Meanwhile, Microsoft recently abandoned millions & millions of Windows 7 devices that will no longer receive security patches despite the fact that they are still deployed & fully operational. Some are in ATM machines, some are in industrial control systems, many are in retail POS stems, small businesses and residences. Many simply cannot be in-place upgraded, and many are too important to be retired or replaced. And, for others, they simply cannot afford to buy all new computers & software and, perhaps, update legacy software and re-train their technical support staff. So, yet another massive security vulnerability that is brewing right under our noses but going largely unaddressed.

My takeaway from all of this is: information technology will forever be essentially insecure if connected to the internet. Billions of devices will be just a hack away from opening the city gates and letting the invading hordes pour in to wreak havoc & seize the treasure stored within. It is essentially an indefensible position on a low hill in a hotly contested forever war with ever more adversaries armed with ever better weaponry. And, always, the enterprise is just a click away from a major security breach...
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5292
PUBLISHED: 2020-03-31
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and admini...
CVE-2020-7009
PUBLISHED: 2020-03-31
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
CVE-2019-13495
PUBLISHED: 2020-03-31
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.
CVE-2020-5291
PUBLISHED: 2020-03-31
Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that...
CVE-2019-14905
PUBLISHED: 2020-03-31
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS co...