Safeguard your IoT device credentials
Image credit: source

Credit: ID 132201453 © Akarat Phasura | Dreamstime.com

Internet of Things (IoT) devices were popular gifts again this Christmas season. The trend represents a huge shift in how products are made and used, as network connectivity is added to products that weren’t previously intended to have this functionality.

Your refrigerator that sends you a text message when you’re out of milk is IoT. Your thermostat that provides usage graphs on your phone is IoT too. Basically, any consumer device capable of connecting to a network other than a computer, phone, tablet or router is considered an IoT device.

Security remains a big concern with IoT devices, however. Although improvements have been made, new types of vulnerabilities remain.

IoT credential compromise

One of the latest threats we’re seeing is IoT credential compromise. Attackers use vulnerabilities in the web applications and mobile applications used by certain IoT devices to acquire credentials. These details can then be used to view the video feed, set/receive/delete alarms, remove saved video clips from cloud storage and read account information.

Attackers can also use the credentials to push their own firmware update to the device, changing its functionality and using the compromised device to attack other devices on the same network.

The Barracuda Labs team recently conducted research on a connected security camera to illustrate this threat. They identified multiple vulnerabilities in the camera’s web app and mobile app ecosystem. Using these vulnerabilities, the team was able to perform a number of attacks to acquire credentials and compromise an IoT device, all without a direct connection to the device itself.

Credit: Fergus Halliday | IDG

This makes life easier for attackers. No more scanning on Internet connected device search engine Shodan for vulnerable devices. Instead, the attack will be performed against the vendor’s infrastructure. It’s a threat that could affect other types of IoT devices as well, regardless of their function, because it takes advantage of the way the device communicates with the cloud.

After all, bugs are not inherent to products, rather to processes, skills and awareness of the developers. As access and access controls for IoT devices shifted to cloud services, so did the vulnerabilities, making possible the types of attacks uncovered by the Barracuda Labs team.

(Excerpt) Read more Here | 2019-03-13 22:52:00

LEAVE A REPLY

Please enter your comment!
Please enter your name here