This summer we released our findings on a vulnerability we called Devil’s Ivy: a flaw in the gSOAP library that was found while researching a surveillance camera, but whose impact extended far beyond any one device, or any one platform.
This week IoT security company Armis revealed BlueBorne: a set of eight vulnerabilities found in the bluetooth stacks used by a variety of OS vendors. The vulnerabilities impact several billion devices across the Windows, Linux, iOS and Android platforms. Along with a variety of commodity IT devices, any IoT or “smart” devices running any of these OSes are vulnerable.
In both cases the flaws impact, both IoT as well as commodity or ‘ordinary’ computer technology. This doesn’t apply in all cases, but as more research is done, it is highly likely that we’re going to hear more about how the line between problems in IoT and just plain IT is a lot fainter than previously thought
Like software companies in the commodity IT space, manufacturers of IoT devices practice code reuse. When there is a flaw in any given piece of code, code reuse becomes vulnerability reuse. That’s how a vulnerability found in one model of surveillance camera could impact a wide range of cameras, as well as other physical security devices, and potentially some commodity IT. Not all vulnerabilities are readily exploitable in any given IoT device, and an exploitable flaw in an IoT device does not necessarily mean the same flaw is exploitable on a PC or server, but the risk is not zero, so in any sufficiently risky situation, you have to take the time and effort to check.
If Devil’s Ivy or BlueBorne show us anything it is that security practitioners in either domain cannot dismiss out of hand any new security vulnerability that is uncovered in the other domain. Your alert fatigue is about to go through the roof. If you thought you were drowning in threat information before, this is the industry throwing you not a life preserver, but a brick.
People in both the security and business domains have heard the hue and cry about problems in software and hardware before. But in an age of perpetual computing, when the use of computers is becoming more intimate (e.g. wearables and implantables), the need to identify and rectify exploitable vulnerabilities has taken on a new sense of urgency.