Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/10/2020
11:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

6 Factors That Raise the Stakes for IoT Security

Developments that exacerbate the risk and complicate making Internet of Things devices more secure.
Previous
1 of 7
Next

Image Source: Adobe (stokkete)

Image Source: Adobe (stokkete)


The enterprise is finally coming to realize just how risky Internet of Things (IoT) devices are to their security postures. Whether it comes from unencrypted communication with devices, hard-coded passwords, vulnerability-ridden unmanaged devices, or insecure configurations, a huge flaw always seems to be lurking around the corner with regard to IoT deployments.
 
It's only natural for new-ish technology. IoT is following a common progression in security maturation that's happened so many times in everything from Wi-Fi to Web apps.
 
However, as IoT progresses, a number of factors add a greater depth to the IoT problem. Some up the ante considerably by putting way more at risk -- either in consequence or cost -- when an IoT device is compromised. Other factors expand the risk surface by exacerbating already extant vulnerabilities in the IoT ecosystem.
 
Either way, read on for some of the most common factors that raise the stakes for IoT and make the problem more acute within the enterprise.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 7
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
lancop
100%
0%
lancop,
User Rank: Moderator
3/1/2020 | 12:38:10 PM
IoT Security will join Windows 7 as the latest additions to growing security vulnerabilities
You have brought up some excellent points in your article, and as I was just contemplating an Arduino-based IoT project my thoughts immediately turned directly to security concerns. An IoT device sitting right in the middle of several renewable energy generators and their live loads has the potential of becoming a very dangerous single point of failure should it get hacked by malicious threat actors. So, obviously my IoT technological considerations also have to include proactive security measures to shield the final product from 3rd party tampering.

The proliferation of IoT devices in all environments, both consumer & commercial, means that network administrators now have a whole new class of poorly managed, network-connected devices that also communicate to service provider servers that are in an unknown state of security preparedness. Service providers that will be creating & abandoning products on whatever timescales are necessary for them to remain profitable. Not a defensible battlefield where a CSO & Security Team have much of a chance against multiple, globalized attackers with the tactical advantage of needing only to suss out a single vulnerable device to gain a foothold inside the network.

Meanwhile, Microsoft recently abandoned millions & millions of Windows 7 devices that will no longer receive security patches despite the fact that they are still deployed & fully operational. Some are in ATM machines, some are in industrial control systems, many are in retail POS stems, small businesses and residences. Many simply cannot be in-place upgraded, and many are too important to be retired or replaced. And, for others, they simply cannot afford to buy all new computers & software and, perhaps, update legacy software and re-train their technical support staff. So, yet another massive security vulnerability that is brewing right under our noses but going largely unaddressed.

My takeaway from all of this is: information technology will forever be essentially insecure if connected to the internet. Billions of devices will be just a hack away from opening the city gates and letting the invading hordes pour in to wreak havoc & seize the treasure stored within. It is essentially an indefensible position on a low hill in a hotly contested forever war with ever more adversaries armed with ever better weaponry. And, always, the enterprise is just a click away from a major security breach...
DavidS950U01
50%
50%
DavidS950U01,
User Rank: Apprentice
3/2/2020 | 1:08:42 AM
Question about IoT and smart communities; government duty to regulate and protect.
The article names deployments that could be attcked, such as factories, hospitals or body-connected IoT devices, and facilities. I am curious about the negative potentials presented in the smart communities scenarios. What are the dangers? Paralysis of IoT-dependent traffic control and surveillance, for example? And if not paralysis, what about misdirection (a la Stuxnet)?

Next: it's nice that government regulations will role out in 2020--but where? In this country? With the vaunted repeal of 1200 (and counting) "job-killing" regulations that were originally created to protect public health and safety, exactly which competent agency employees remain to do the regulating? (Think State Department, EPA, CDC, etc.) I think it prudent to write to our elected representatives and make the case for, let's say, following the European example.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1927
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
CVE-2020-8144
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
CVE-2020-8145
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
CVE-2020-8146
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...
CVE-2020-6009
PUBLISHED: 2020-04-01
LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection.