On IoT security, the researchers are worried about the possibility for such vulnerabilities to lead onto ‘second and third factor’ attacks, such as credit card details being stolen from connected devices.
“People think about the first problem; some guy runs code on my system – what do I care?” said Tenaglia. “These second and third factors, that’s where we’re trying to get to. What are the real consequences of this?”
“People want to integrate IoT devices into everything now…The more stuff is gets integrated into, the more real-world consequences you’re going to have when someone else gains control,” added Tanen.
Tenaglia drew a parallel with Android security, saying that while there have been efforts to sandbox apps and develop good security practice, such as not run Telnet from boot, IoT remains in a 1995 era. “Everything we’ve learned since then people aren’t doing.”
He said that IoT devices are susceptible to ‘low hanging fruit’ attacks like XML injection attacks.
Tanen urges vendors to ensure they restrict privileges with their IoT devices, while Tenaglia says adopting businesses should build security design stack with third-parties and get help with security assessment.
Sign up for CIO Asia eNewsletters.