Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
6 Factors That Raise the Stakes for IoT Security
Newest First  |  Oldest First  |  Threaded View
DavidS950U01
50%
50%
DavidS950U01,
User Rank: Apprentice
3/2/2020 | 1:08:42 AM
Question about IoT and smart communities; government duty to regulate and protect.
The article names deployments that could be attcked, such as factories, hospitals or body-connected IoT devices, and facilities. I am curious about the negative potentials presented in the smart communities scenarios. What are the dangers? Paralysis of IoT-dependent traffic control and surveillance, for example? And if not paralysis, what about misdirection (a la Stuxnet)?

Next: it's nice that government regulations will role out in 2020--but where? In this country? With the vaunted repeal of 1200 (and counting) "job-killing" regulations that were originally created to protect public health and safety, exactly which competent agency employees remain to do the regulating? (Think State Department, EPA, CDC, etc.) I think it prudent to write to our elected representatives and make the case for, let's say, following the European example.
lancop
100%
0%
lancop,
User Rank: Moderator
3/1/2020 | 12:38:10 PM
IoT Security will join Windows 7 as the latest additions to growing security vulnerabilities
You have brought up some excellent points in your article, and as I was just contemplating an Arduino-based IoT project my thoughts immediately turned directly to security concerns. An IoT device sitting right in the middle of several renewable energy generators and their live loads has the potential of becoming a very dangerous single point of failure should it get hacked by malicious threat actors. So, obviously my IoT technological considerations also have to include proactive security measures to shield the final product from 3rd party tampering.

The proliferation of IoT devices in all environments, both consumer & commercial, means that network administrators now have a whole new class of poorly managed, network-connected devices that also communicate to service provider servers that are in an unknown state of security preparedness. Service providers that will be creating & abandoning products on whatever timescales are necessary for them to remain profitable. Not a defensible battlefield where a CSO & Security Team have much of a chance against multiple, globalized attackers with the tactical advantage of needing only to suss out a single vulnerable device to gain a foothold inside the network.

Meanwhile, Microsoft recently abandoned millions & millions of Windows 7 devices that will no longer receive security patches despite the fact that they are still deployed & fully operational. Some are in ATM machines, some are in industrial control systems, many are in retail POS stems, small businesses and residences. Many simply cannot be in-place upgraded, and many are too important to be retired or replaced. And, for others, they simply cannot afford to buy all new computers & software and, perhaps, update legacy software and re-train their technical support staff. So, yet another massive security vulnerability that is brewing right under our noses but going largely unaddressed.

My takeaway from all of this is: information technology will forever be essentially insecure if connected to the internet. Billions of devices will be just a hack away from opening the city gates and letting the invading hordes pour in to wreak havoc & seize the treasure stored within. It is essentially an indefensible position on a low hill in a hotly contested forever war with ever more adversaries armed with ever better weaponry. And, always, the enterprise is just a click away from a major security breach...


COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12393
PUBLISHED: 2020-05-26
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execut...
CVE-2020-12394
PUBLISHED: 2020-05-26
A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.
CVE-2020-12395
PUBLISHED: 2020-05-26
Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Fi...
CVE-2020-12396
PUBLISHED: 2020-05-26
Mozilla developers and community members reported memory safety bugs present in Firefox 75. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 76.
CVE-2020-10719
PUBLISHED: 2020-05-26
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.