IoT Security

Security risks/rules for the Internet Of Things.

Lots of home WebCam-s are easily viewable by anyone.

• apparently because cameras coming with standard default password, which users fail to change.

Medical Device-s: The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on... BillyRios connected his pump to a computer network, just as a hospital would, and discovered it was possible to remotely take over the machine and “press” the buttons on the device’s touchscreen, as if someone were standing right in front of it... In 2013, BarnabyJack died of a drug overdose one week before he was scheduled to attend Black Hat, where he promised to unveil a system that could pinpoint any wirelessly connected insulin pumps within a 300-foot radius, then alter the insulin doses they administered... “I appreciate you wanting to jump in,” RickHampton, wireless communications manager for Partners Health Care System, said, “but frankly, some of the National Enquirer headlines that you guys create cause nothing but problems.”.. After six months, TrapX concluded that all of the hospitals contained medical devices that had been infected by malware... The decoy devices that TrapX analysts set up in hospitals allowed them to observe hackers attempting to take medical records out of the hospitals through the infected devices. The trail, Wright says, led them to a server in Eastern Europe believed to be controlled by a known Russian criminal syndicate. Basically, they would log on from their control server in Eastern Europe to a blood gas analyzer; they’d then go from the BGA to a data source, pull the records back to the BGA, and then out. Wright says they were able to determine that hackers were taking data out through medical devices because, to take one example, they found patient data in a blood gas analyzer, where it wasn’t supposed to be... In the hallway just outside his room, Rios found a computerized dispensary that stored medications in locked drawers. Doctors and nurses normally used coded identification badges to operate the machine. But Rios had examined the security system before, and he knew it had a built-in vulnerability: a hard-coded password that would allow him to “jackpot” every drawer in the cabinet... That automated medicine cabinet wasn’t the only device he’d found with a hard-coded password; along with research partner TerryMcCorkle, Rios found the same vulnerability in about 300 different devices made by about 40 different companies. The names of those vendors weren’t released when the government issued its notice about the problem, and Rios says none of them has fixed the password problem.

https://www.iamthecavalry.org/

A couple possible corrective models

• OWASP - spreading of ReasonablePractices
• FrameWork equivalent to Web App Framework that gives you ReasonablePractices for free.