Was pointed out to me early as the classic security problem with edge devices lost in the field, they will never be updated to be secure, and they are attached to many other networks and devices, making them insecure.
Critical Flaws in Millions of IoT Devices May Never Get Fixed
in Wired By Lily Hay Newman
Internet of Things (IoT) security firm Forescout uncovered 33 flaws, collectively labeled Amnesia:33, in seven open source TCP/IP stacks that potentially leave millions of IoT devices vulnerable. Many of the bugs were basic programming errors, like missing input validation checks that keep a system from accepting problematic values or operations. Patching these flaws is difficult if not impossible, as five stacks have been around for nearly two decades, while two have circulated since 2013; this means numerous versions and variants exist, with no central authority to issue fixes. Moreover, manufacturers who have incorporated the code into their products would have to proactively adopt the correct patch for their version and deployment, then circulate it to users. Said Forescout’s Elisa Costante, "What scares me the most is that it’s very difficult to understand how big the impact is and how many more vulnerable devices are out there."
No comments:
Post a Comment