Following the news of the CloudPets Data Breach, Tod Beardsley, Director of Research at Rapid7 commented below.
Tod Beardsley, Director of Research at Rapid7:
“The tragic tale of CloudPets indicates at least four distinct failures when it comes to securing IoT. I’d characterise this confluence of vulnerabilities as catastrophic. CloudPets rolled out a service that relied on an insecure, open-access database, stored voice data on an insecure, open-access Amazon S3 bucket, and secured access to an online account with a password that has effectively no complexity requirements (a single character would do).
While bad, these three technical design failures could have been addressed, but for the fourth issue discovered: CloudPets seems uniquely uninterested in handling reported vulnerabilities. Emails and voicemails from security researchers and reporters appear to have been ignored, as were demands from database ransomers.
Even when companies ship IoT vulnerabilities, we tend to give them the benefit of the doubt when first reporting these issues. When Rapid7 reports vulnerabilities, we do get some kind of response about 70% of the time, and are able to engage with technical staff responsible for fixing vulnerabilities. In nearly all of those cases, the companies do produce a fix, or at least offer mitigation advice to customers. It’s become increasingly rare to come across companies that don’t respond at all, so the case with CloudPets is unusual in that regard.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Experts Insight On US Pipeline Shut After Cyberattack
Most Active Commenters
Recent Comments
“Cybersecurity Awareness Month’s new evergreen theme "Secure Our World” is…
“Avoid storing data on personal devices: A crucial but often overlooked…
“I recommend a new nuance to passwords that isn’t often…
“In my role overseeing cloud environments and incident response, I'm…
“Cybersecurity Awareness Month serves as a reminder to confront the…