mailing list archives
Time to ignore manufacturers that are security slackers
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 20 Nov 2013 01:28:21 -0700
In the near future, everything from refrigerators and coffeemakers to cars
and home automation systems will be among the 10s of billions of devices on
the Internet. But as the so-called Internet of Things grows, security
remains a work in progress at best, and it's time for tech buyers to ignore
manufacturers that refuse to step up their game.
Security has always lagged behind technology adoption. As the PC market
grew in the 1990s, securing software and hardware was an afterthought until
the Internet. Once people started connecting Windows PCs to the Web, the
door was opened to hackers and Microsoft was left scrambling for years to
plug the many holes in the market-dominating operating system.
The pattern in the mobile industry is similar. Hundreds of millions of
people using Android smartphones and tablets today face unnecessary risks
because wireless carriers and manufacturers have yet to figure out a way to
push out timely updates to patch vulnerabilities.
Nevertheless, mobile security seems advanced when compared to the vast
majority of other Internet-connected devices, which Cisco says will number
40 billion by 2020 from roughly 9 billion in 2012.
Printers are a perfect example of how security is being shortchanged as we
move toward the Internet of Things. Every printer today comes with a
built-in Web server, yet by default, the majority of them don't even
require a password.
With such basic security missing, it's no surprise that vendors are slow in
patching vulnerabilities through firmware upgrades. In the meantime,
security researchers have already shown that it's possible to hack
networked Hewlett-Packard printers and steal data.
In July, a couple of researchers used a laptop wired to electronic control
units of a Ford Escape and Toyota Prius to steer the vehicles left and
right, apply the brakes and move the fuel gauge to zero.
At the time, Ford and Toyota said the experiment wasn't a legitimate hack,
since a wired connection was needed. But most experts agreed the
demonstration showed that the day when a car could be commandeered
wirelessly was coming, unless manufacturers worked faster to improve
Devices that have already been hacked have included TV sets, video cameras,
child monitors and power meters. Through such devices, intruders could
violate people's privacy, steal personal data and build large botnets of
compromised devices in order to launch denial of service attacks, experts
As the number of threats increase with the rise in Internet-connected
devices, there are security tools available to defend against attacks. They
include data encryption, strong user authentication, coding with security
as a top priority and better testing of application programming interfaces.
To a large extent, securing the Internet of Things isn't much different
than locking down computers and mobile devices. Among the bigger hurdles of
the IoT is rolling out firmware updates.
The best place to start in securing future Internet-enabled devices is with
the buyer. If consumers and businesses place security near the top of their
features list, then manufacturers will respond. Without customer pressure,
there will be little change in the status quo.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
- Time to ignore manufacturers that are security slackers Audrey McNeil (Nov 25)