« What lessons learned from Linux define the data center OS? | Main | Avoiding an Internet for (Useless) Things »
Friday
Sep112015

FBI and the DHS (Finally) Weigh in on IoT

It's been a long time coming, IMO, but the NCCIC Computer Emergency Readiness Team has released a note "…capturing the urgency of an IC3 alert on Internet of Things devices…" 

An excerpt:

What are the IoT Risks?
Deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices. Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety. The main IoT risks include:
  • An exploitation of the Universal Plug and Play protocol (UPnP) to gain access to many IoT devices. The UPnP describes the process when a device remotely connects and communicates on a network automatically without authentication. UPnP is designed to self-configure when attached to an IP address, making it vulnerable to exploitation. Cyber actors can change the configuration, and run commands on the devices, potentially enabling the devices to harvest sensitive information or conduct attacks against homes and businesses, or engage in digital eavesdropping; 
  • An exploitation of default passwords to send malicious and spam e-mails, or steal personally identifiable or credit card information; 
  • Compromising the IoT device to cause physical harm; 
  • Overloading the devices to render the device inoperable; 
  • Interfering with business transactions.

For anyone involved in this arena, this rates a round of polite applause, but also feels (to me) to be far too little, far too light and far too late.  The recommendations included in the document are sensible, practical and fall woefully short of providing guidance to the nature of IoT devices that are managed and administered remotely.   

Thanks to Bob Gourley, who blogged on this in: Time To Spread The Word on Internet of Things Dangers: Read what FBI and DHS Cyber Centers Need Us All To Know - CTOvision.com:

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (3)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.