February Round Up of News that Proves Trust Is The Point
The promise of a connected world offers so many opportunities to make life easier. However, developers need to get their act together when it comes to security. For every new IoT device that’s released, there’s a story about a security breach that leaves unsuspecting consumers vulnerable.
The good news is that the call for better IoT security is starting to build. Here’s a round up of some of the stories that made the news this past month.
Major Flaw in Code Library Leaves IoT Devices Vulnerable to Malware
The Linux GNU C Library (Glibc) is an open source code library that’s used by thousands of IoT devices, including routers. Recently, Google and Red Hat have revealed that a major flaw puts these devices at risk for malware infection.
“The glibc
DNS client side resolver is vulnerable to a stack-based
buffer overflow when the getaddrinfo()
library function is used,” said Google.
“Software using this function may be exploited with attacker-controlled domain names,
attacker-controlled DNS servers, or through a
man-in-the-middle attack.”
What’s extremely worrying is that it was flagged as an issue last year, but was considered a low priority. This is the second major vulnerability identified for a Linux OS in the past month.
Smart Buildings Need to Smarten up Their Security
Not only are devices vulnerable to attack, so are entire buildings through the networks that run them. The IBM X-Force Ethical Hacking Team recently demonstrated how easy it is to hack into a building automation system (BAS) through its router. In most cases, a BAS controls sensors and thermostats for a network of buildings across a geographic area — in this case the buildings were in the US. Each building connects to the central BAS server through a router.
In this case, accessing the router was fairly simple. The administrative password was easy to find in plain text in the device’s code. The same password was then used between devices. It didn’t take long for the team to gain access to the central server giving hackers the ability to take control of all the buildings in the network.
This is not an isolated incident. Leaving passwords visible in open code is the same as leaving the back door open to hackers.
A Cheap CCTV System Sends Your Images to an Email in China
CCTVs are a great way to keep an eye on your property when you can’t be there. One model for sale on Amazon is letting others keep an eye on your stuff too.
After hearing so much about the problems with Internet-connected cameras, researchers from Pen Test Partners wanted to see for themselves how bad it could be. They chose an inexpensive model available on Amazon. The situation was actually worse than they expected.
Poor default credentials, being listed on the open Internet, a lack of firmware updates and a severe lack of HTTPS-based encryption were the tip of the iceberg.
“The researchers managed to access basically every internal piece of code within the device and were able to force the device to start as root. Eventually, the team even opened a web shell that allowed them to run commands on the DVR. Furthermore, the lack of strong encryption fully exposes users to man-in-the-middle (MitM) style attacks — frequently used by hackers to intercept web traffic.”
The most bizarre finding was that the camera was actually taking screen captures and sending them to a hardcoded email address that appears to be in China.
The high number of breaches related to Internet-connected cameras continues to be a troubling trend that needs attention.
Shedding Light on the Problem of IoT Insecurity
Thankfully, these breaches are beginning to get more attention. In fact, New York City is investigating baby monitor manufacturers to learn more about the vulnerabilities. They want manufacturers to answer the complaints of insecurity and prove that they are taking steps to improve encryption.
We’re also pleased to see other articles in business publications like Forbes and The Wall Street Journal. The more attention insecurity receives, the more industry will need to respond.