The preceding decades of hype about all the horrible things that could happen if computers became too ingrained in our lives and were attacked or went haywire is finally, if regrettably, coming to fruition. These are not abstract problems, or readily recoverable ones like the loss of banking credentials or personal information: they are becoming matters of life and death.
This summer we released our findings on a vulnerability we called Devil’s Ivy: a flaw in the gSOAP library that was found while researching a surveillance camera, but whose impact extended far beyond any one device, or any one platform.
This week IoT security company Armis revealed BlueBorne: a set of eight vulnerabilities found in the bluetooth stacks used by a variety of OS vendors. The vulnerabilities impact several billion devices across the Windows, Linux, iOS and Android platforms. Along with a variety of commodity IT devices, any IoT or “smart” devices running any of these OSes are vulnerable.
In both cases the flaws impact, both IoT as well as commodity or ‘ordinary’ computer technology. This doesn’t apply in all cases, but as more research is done, it is highly likely that we’re going to hear more about how the line between problems in IoT and just plain IT is a lot fainter than previously thought
This summer we released our findings on a vulnerability we called Devil’s Ivy: a flaw in the gSOAP library that was found while researching a surveillance camera, but whose impact extended far beyond any one device, or any one platform.
This week IoT security company Armis revealed BlueBorne: a set of eight vulnerabilities found in the bluetooth stacks used by a variety of OS vendors. The vulnerabilities impact several billion devices across the Windows, Linux, iOS and Android platforms. Along with a variety of commodity IT devices, any IoT or “smart” devices running any of these OSes are vulnerable.
In both cases the flaws impact, both IoT as well as commodity or ‘ordinary’ computer technology. This doesn’t apply in all cases, but as more research is done, it is highly likely that we’re going to hear more about how the line between problems in IoT and just plain IT is a lot fainter than previously thought
For those who have not spent much time tracking IoT security issues, it is important to note that most IoT devices that don’t need to meet highly specialized requirements (e.g. devices used in industrial environments) are running a common computer operating system inside, like Linux, Windows XP or Windows CE. Manufacturers add some specialized logic that controls the “thing” part of the device, and instead of a full keyboard you have a handful of buttons or dials that interact with that logic. Unlike a Linux or Windows PC, OSes on such devices cannot be upgraded or patched. Well, they might be able to be patched, but not without a lot of work on the part of the manufacturer, who is more inclined to tell you to wait until the new model comes out (revenue), not upgrade the old one (expense), if you decide to raise the issue.
Like software companies in the commodity IT space, manufacturers of IoT devices practice code reuse. When there is a flaw in any given piece of code, code reuse becomes vulnerability reuse. That’s how a vulnerability found in one model of surveillance camera could impact a wide range of cameras, as well as other physical security devices, and potentially some commodity IT. Not all vulnerabilities are readily exploitable in any given IoT device, and an exploitable flaw in an IoT device does not necessarily mean the same flaw is exploitable on a PC or server, but the risk is not zero, so in any sufficiently risky situation, you have to take the time and effort to check.
If Devil’s Ivy or BlueBorne show us anything it is that security practitioners in either domain cannot dismiss out of hand any new security vulnerability that is uncovered in the other domain. Your alert fatigue is about to go through the roof. If you thought you were drowning in threat information before, this is the industry throwing you not a life preserver, but a brick.
People in both the security and business domains have heard the hue and cry about problems in software and hardware before. But in an age of perpetual computing, when the use of computers is becoming more intimate (e.g. wearables and implantables), the need to identify and rectify exploitable vulnerabilities has taken on a new sense of urgency.
Like software companies in the commodity IT space, manufacturers of IoT devices practice code reuse. When there is a flaw in any given piece of code, code reuse becomes vulnerability reuse. That’s how a vulnerability found in one model of surveillance camera could impact a wide range of cameras, as well as other physical security devices, and potentially some commodity IT. Not all vulnerabilities are readily exploitable in any given IoT device, and an exploitable flaw in an IoT device does not necessarily mean the same flaw is exploitable on a PC or server, but the risk is not zero, so in any sufficiently risky situation, you have to take the time and effort to check.
If Devil’s Ivy or BlueBorne show us anything it is that security practitioners in either domain cannot dismiss out of hand any new security vulnerability that is uncovered in the other domain. Your alert fatigue is about to go through the roof. If you thought you were drowning in threat information before, this is the industry throwing you not a life preserver, but a brick.
People in both the security and business domains have heard the hue and cry about problems in software and hardware before. But in an age of perpetual computing, when the use of computers is becoming more intimate (e.g. wearables and implantables), the need to identify and rectify exploitable vulnerabilities has taken on a new sense of urgency.
RSS Feed
