IoT updates

Updates to Internet of (not necessarily necessary) Things

Added a few days ago, in fact, but I’ve been a bit busy…

  • Threat Post: Remote Code Implantation Flaw Found in Medtronic Cardiac Programmers – “The flaw impacted patients with pacemakers, implantable defibrillators, cardiac resynchronization devices and insertable cardiac monitors.”
  • The Register: Last year, D-Link flubbed a router bug-fix, so it’s back with total pwnage – “Plain text password storage? Check. Directory traversal? Check. SOHOpeless? Check….Eight D-Link router variants are vulnerable to complete pwnage via a combination of security screwups, and only two are going to get patched.”
  • The Register: Alexa heard what you did last summer – and she knows what that was, too: AI recognizes activities from sound – “Gadgets taught to identify actions via always-on mics” What could go wrong?
  • Pierluigi Paganini: A Russian cyber vigilante is patching outdated MikroTik routers exposed online – “Alexey described his activity on a Russian blogging platform, he explained he hacked into the routers to change settings and prevent further compromise.” As Paganini points out, this is still ‘cybercrime’. Well, in most jurisdictions. Indeed, I remember dissuading a friend from taking somewhat similar action to remediate the impact of the Code Red worm in 2001 . Even if the motivation is pure, it’s still unauthorized access and modification. I talked about related issues in the context of the BBC’s purchase of a botnet in 2009 here and elsewhere linked in the article. Unfortunately, the ESET link there no longer works, and it’s on ESET’s blog that I did most of my writing on the topic, but you could try this.
  • The UK’s National Cyber Security Centre (NCSC), in collaboration with the Department for Digital, Culture, Media and Sport (DCMS) , has published a Code of Practice for Consumer IoT Security (a differently-formatted – i.e. picture-free – version is available here). It is based on the following guidelines:
    • No default passwords
    • Implement a vulnerability disclosure policy
    • Keep software updated
    • Securely store credentials and security-sensitive data
    • Communicate securely
    • Minimise exposed attack surfaces
    • Ensure software integrity
    • Ensure that personal data is protected
    • Make systems resilient to outages
    • Monitor system telemetry data
    • Make it easy for consumers to delete personal data
    • Make installation and maintenance of devices easy
    • Validate input data

Commentary from The Register: GCHQ asks tech firms to pretty please make IoT devices secure – “Hive, HP Inc sign up to refreshed code of practice”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.