Following the news of the CloudPets Data Breach, Tod Beardsley, Director of Research at Rapid7 commented below.

Tod Beardsley, Director of Research at Rapid7:

Tod-Beardsley“The tragic tale of CloudPets indicates at least four distinct failures when it comes to securing IoT. I’d characterise this confluence of vulnerabilities as catastrophic. CloudPets rolled out a service that relied on an insecure, open-access database, stored voice data on an insecure, open-access Amazon S3 bucket, and secured access to an online account with a password that has effectively no complexity requirements (a single character would do).

While bad, these three technical design failures could have been addressed, but for the fourth issue discovered: CloudPets seems uniquely uninterested in handling reported vulnerabilities. Emails and voicemails from security researchers and reporters appear to have been ignored, as were demands from database ransomers.

Even when companies ship IoT vulnerabilities, we tend to give them the benefit of the doubt when first reporting these issues. When Rapid7 reports vulnerabilities, we do get some kind of response about 70% of the time, and are able to engage with technical staff responsible for fixing vulnerabilities. In nearly all of those cases, the companies do produce a fix, or at least offer mitigation advice to customers. It’s become increasingly rare to come across companies that don’t respond at all, so the case with CloudPets is unusual in that regard.”

Experts Comments

Stay Tuned! Our Information Security Experts Community is responding .....

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.