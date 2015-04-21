from the zombie-apocalypse dept.
100 Million More IoT Devices Are Exposed—and They Won't Be the Last:
Over the last few years, researchers have found a shocking number of vulnerabilities in seemingly basic code that underpins how devices communicate with the Internet. Now, a new set of nine such vulnerabilities are exposing an estimated 100 million devices worldwide, including an array of Internet-of-things products and IT management servers. The larger question researchers are scrambling to answer, though, is how to spur substantive changes—and implement effective defenses—as more and more of these types of vulnerabilities pile up.
Dubbed Name:Wreck, the newly disclosed flaws are in four ubiquitous TCP/IP stacks, code that integrates network communication protocols to establish connections between devices and the Internet. The vulnerabilities, present in operating systems like the open source project FreeBSD, as well as Nucleus NET from the industrial control firm Siemens, all relate to how these stacks implement the "Domain Name System" Internet phone book. They all would allow an attacker to either crash a device and take it offline or gain control of it remotely. Both of these attacks could potentially wreak havoc in a network, especially in critical infrastructure, health care, or manufacturing settings where infiltrating a connected device or IT server can disrupt a whole system or serve as a valuable jumping-off point for burrowing deeper into a victim's network.
[...] "For better or worse, these devices have code in them that people wrote 20 years ago—with the security mentality of 20 years ago," says Ang Cui, CEO of the IoT security firm Red Balloon Security. "And it works; it never failed. But once you connect that to the Internet, it's insecure. And that's not that surprising, given that we've had to really rethink how we do security for general-purpose computers over those 20 years."
The problem is notorious at this point, and it's one that the security industry hasn't been able to quash, because vulnerability-ridden zombie code always seems to reemerge.
(Score: 3, Funny) by DannyB on Thursday April 15, @03:29PM (2 children)
The SH in IoT is for "Security Hardened".
I suppose if IoT were to take some security hardening pills, it would then be SHIoT.
The rain in Spain stays mainly inside the aircraft.
(Score: 3, Insightful) by Thexalon on Thursday April 15, @03:38PM
As one of my favorite tech talks points out, the idea that even "security hardened" IoT would be a real thing is like expecting that a company that may not even exist anymore will successfully secure an Internet-connected machine running Windows XP or possibly even Windows ME, right now in 2021. Or, if it's using Linux of some kind, trusting that kernel 2.4 and glibc 2.2 will be just fine and dandy.
The inverse of "I told you so" is "Nobody could have predicted"
(Score: 0) by Anonymous Coward on Thursday April 15, @04:14PM
Secured Internet of Privacy-Hardened Online Networked Devices In Tandem: also known as "SIPHONeD IT"