Entries in FBI (1)

Friday
Sep112015

FBI and the DHS (Finally) Weigh in on IoT

It's been a long time coming, IMO, but the NCCIC Computer Emergency Readiness Team has released a note "…capturing the urgency of an IC3 alert on Internet of Things devices…" 

An excerpt:

What are the IoT Risks?
Deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices. Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety. The main IoT risks include:
  • An exploitation of the Universal Plug and Play protocol (UPnP) to gain access to many IoT devices. The UPnP describes the process when a device remotely connects and communicates on a network automatically without authentication. UPnP is designed to self-configure when attached to an IP address, making it vulnerable to exploitation. Cyber actors can change the configuration, and run commands on the devices, potentially enabling the devices to harvest sensitive information or conduct attacks against homes and businesses, or engage in digital eavesdropping; 
  • An exploitation of default passwords to send malicious and spam e-mails, or steal personally identifiable or credit card information; 
  • Compromising the IoT device to cause physical harm; 
  • Overloading the devices to render the device inoperable; 
  • Interfering with business transactions.

For anyone involved in this arena, this rates a round of polite applause, but also feels (to me) to be far too little, far too light and far too late.  The recommendations included in the document are sensible, practical and fall woefully short of providing guidance to the nature of IoT devices that are managed and administered remotely.   

Thanks to Bob Gourley, who blogged on this in: Time To Spread The Word on Internet of Things Dangers: Read what FBI and DHS Cyber Centers Need Us All To Know - CTOvision.com: