IoT Messaging Protocol is Big Security Risk
The insecure implementation of the MQTT (Message Queue Telemetry Transport) protocol, an Oasis standard for IoT communication, by many IoT product vendors is contributing to the high risk of IoT devices on enterprise and home networks. Although TLS is recommended by the Cloud Security Alliance for secure communication with MQTT, most vendors appear to ignore transport security, making all communication open and available. Further, authentication is often ignored.
An authentication issue, however, is the failure to implement any available device authentication. An example of the risk was reported by Lucas Lundgren last year. Lundgren claimed he discovered around 60,000 IoT message brokers that allowed access without authentication (McAuley, 2017). With the fast growth of IoT, we can assume that this number has significantly increased. Lundgren demonstrated that he can quickly compromise hospital, prison, and satellite control systems because of insecure configuration of MQTT.
To Achieve Security in IoT Devices, Remember the Fundamentals
Connectivity has created new threat landscapes, but iRobot CISO Ravi Thatavarthy says it’s important to remember fundamental IT security principles when it comes to security in IoT devices.
When it comes to security in IoT devices, it’s important to remember that fundamental IT security principles are still applicable, according to Ravi Thatavarthy, director of information security and CISO at Bedford, Mass.-based consumer robotics company iRobot. Thatavarthy spoke with SearchCIO at the recent CDM Media CIO Summit in Boston, where he discussed how IoT is affecting the cybersecurity threat landscape, suggested best practices for securing IoT devices and delineated th
e role that CISOs play in these processes. He also offered pointers on how CISOs can build a strategic relationship with their organization’s chief risk officers and shed light on the biggest challenge that CISOs face today.(Read More)
Multiple Vulnerabilities found in Connected IoT Home Security Device
Popular IoT home security device could allow hackers to turn burglar alarms on and off and switch on siren, says researcher who dissected it.Security researchers have discovered a number of vulnerabilities in an internet-enabled burglar alarm that could see the device being remotely switched off by an attacker.According to a blog post, Ilia Shnaidman, head of security research at Bullguard, said that the discovery of multiple flaws in iSmartAlarm is another example of a poorly engineered device that offers attackers an easy target.
The device, said Shnaidman, has flaws that can lead to full device compromise. The cube-shaped iSmartAlarm provides a fully integrated alarm system with siren, smart cameras and locks. It functions like any alarm system but with the benefits of a connected device: alerts pop up on your phone, offering you full remote control via mobile app wherever you are. (Read More)