One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 850709 |
| Date de publication | 2018-10-16 17:06:57 (vue: 2018-10-16 23:17:12) |
| Titre | Notes on the UK IoT cybersec "Code of Practice" |
| Texte | The British government has released a voluntary "Code of Practice" for securing IoT devices. I thought I'd write some notes on it.First, the good partsBefore I criticize the individual points, I want to praise if for having a clue. So many of these sorts of things are written by the clueless, those who want to be involved in telling people what to do, but who don't really understand the problem.The first part of the clue is restricting the scope. Consumer IoT is so vastly different from things like cars, medical devices, industrial control systems, or mobile phones that they should never really be talked about in the same guide.The next part of the clue is understanding the players. It's not just the device that's a problem, but also the cloud and mobile app part that relates to the device. Though they do go too far and include the "retailer", which is a bit nonsensical.Lastly, while I'm critical of most all the points on the list and how they are described, it's probably a complete list. There's not much missing, and the same time, it includes little that isn't necessary. In contrast, a lot of other IoT security guides lack important things, or take the "kitchen sink" approach and try to include everything conceivable.1) No default passwordsSince the Mirai botnet of 2016 famously exploited default passwords, this has been at the top of everyone's list. It's the most prominent feature of the recent California IoT law. It's the major feature of federal proposals.But this is only a superficial understanding of what really happened. The issue wasn't default passwords so much as Internet-exposed Telnet.IoT devices are generally based on Linux which maintains operating-system passwords in the /etc/passwd file. However, devices almost never use that. Instead, the web-based management interface maintains its own password database. The underlying Linux system is vestigial like an appendix and not really used.But these devices exposed Telnet, providing a path to this otherwise unused functionality. I bought several of the Mirai-vulnerable devices, and none of them used /etc/passwd for anything other than Telnet.Another way default passwords get exposed in IoT devices is through debugging interfaces. Manufacturers configure the system one way for easy development, and then ship a separate "release" version. Sometimes they make a mistake and ship the development backdoors as well. Programmers often insert secret backdoor accounts into products for development purposes without realizing how easy it is for hackers to discover those passwords.The point is that this focus on backdoor passwords is misunderstanding the problem. Device makers can easily believe they are compliant with this directive while still having backdoor passwords.As for the web management interface, saying "no default passwords" is useless. Users have to be able to setup the device the first time, so there has to be some means to connect to the device without passwords initially. Device makers don't know how to do this without default passwords. Instead of mindless guidance of what not to do, a document needs to be written that explains how devices can do this both securely as well as easy enough for users to use.Humorously, the footnotes in this section do reference external documents that might explain this, but they are the wrong documents, appropriate for things like website password policies, but inappropriate for IoT web interfaces. This again demonstrates how they have only a superficial understanding of the problem.2) Implement a vulnerability disclosure policyThis is a clueful item, and it should be the #1 item on every list. |
| Envoyé | Oui |
| Condensat | what able about actually adept advice advise again against agrees alexa all allow always amazon answer anti any anyway app apple are attacks back bad based because better biggest billions on binaries bit blacklisting bluetooth boot both browser bug bugs build but bypassing came can car care cases catalog changes characters cheap clue code come comes coming companies completely component concept conclusionlike connection consumer consumers contact containing control cookies copy could course cracked crashed curly customers cybersec data datamost datasecurity datathis declaring delete designers desirable details device devices devoid didn documents doesn doing don done down due dyn easy easyof echo efforts either emails enclaves end ensure especially even eventually every everyone everything example expensive experience exploited external extraordinarily fact factory failures famous far feature field firmware fix forget from functional gdpr general get give giving gleaned gnu going good got guide hack hackable hacker hackers had hand happened happens hard has have haven having help helpful here highway home houses how however http idea identifier impossible improper improve information informationbut injection input installation instead intermediate internal internet iot isn issue item jeep just kinda know known leaving left let license like lock locking locks logfiles lot low machines maintenance make makers making manufacturer matter mcaffee mean means methods microsoft mirai mischievous monitor moral more most need neither network new nor normal not noted notes obviously off old one only open operating opposite organization other others out outage outagesgiven own pair parameterized part password paste patch people perceive personal phishing phone php platitudes point pox practice printers private probably problem problematic processors proclaim product programmers proper protectedi provide public punctuation queries question quotes rather really recent recovered reflects relied remotely repackage required reset resets resilient responses review running saw section secure security see seems seen servers session set sets should signaling silly simply soapbox software solution solve some something source sourcing spectacularly spend sql stand state stop story strangers stupid such sufficient superficial support supporting suppose system systems take technical telemetry telling than then therefore things think those thus took totally trust trusted try turn type typically under understand understanding unexpected unfunctional unhelpful unicode update upon url use used useful useless users uses using validate validation various vendor view virtual virtually virtuous virus votes voting vulnerabilities want wanting wasn way well what when where which whitelisting wifi will wipe within without work worse would wrong yale |
| Tags | Hack |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.