It has been reported that vulnerabilities in the communications protocols used by millions of Internet of Things (IoT) and operational technology (OT) devices could allow cyber attackers to intercept and manipulate data. The vulnerabilities in some TCP/IP stacks have been detailed by cybersecurity researchers at Forescout, who’ve dubbed the set of nine new vulnerabilities as ‘Number:Jack’.
Experts Comments
The Number:Jack
Unfortunately, computers are not good at being unpredictable. “Random” numbers in computers are almost always created by a pseudo-random number generator (PRNG), an algorithm that produces a deterministic sequence of numbers. The PRNG can be seeded with something truly
.....Read MoreDot Your Expert Comments
Only for registered and approved experts. Please register before providing comments. Register here
As many IoT devices are essentially blackboxes of components used to do a specific single job, they use specialist embedded System-on-Chips (SoC) which have small amounts of storage. Therefore, it is understandable that so many have implemented barebones TCP/IP stacks that have re-introduced old security vulnerabilities, as these are devices that often have to work with limited resources and sometimes in real-time with limited CPU processing power.
So choices were made, however, the
.....Read MoreAs many IoT devices are essentially blackboxes of components used to do a specific single job, they use specialist embedded System-on-Chips (SoC) which have small amounts of storage. Therefore, it is understandable that so many have implemented barebones TCP/IP stacks that have re-introduced old security vulnerabilities, as these are devices that often have to work with limited resources and sometimes in real-time with limited CPU processing power.
So choices were made, however, the risk/threat assessment was geared towards a different set of goals. As a result, it is good practice to treat IoT devices as insecure and vulnerable to attack by default and to build controls around them to minimize risk. The affected platforms could be in the thousands of devices and as an end-user, it can be next to impossible to know whether you need to update the device. This pushes the responsibility to the device vendor using the vulnerable TCP/IP stacks to produce an update which installs the updated firmware that uses an updated stack to any affected devices, and ultimately ensure the device in question has the ability to accept a firmware update via some form of update mechanism.
Read LessLinkedin Message
@Stephen Kapp, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"The affected platforms could be in the thousands of devices and as an end-user...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/old-security-vulnerability-left-millions-of-internet-of-things-devices-vulnerable-to-attacks
Facebook Message
@Stephen Kapp, CTO and Founder, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"The affected platforms could be in the thousands of devices and as an end-user...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/old-security-vulnerability-left-millions-of-internet-of-things-devices-vulnerable-to-attacks