A Linux Tool to Improve the Security of IoT Devices
The first rule of building a secure and feature-rich ecosystem is software management — push and pull software updates and software discovery through an app store mechanism from a trusted source.
In the go-to-market IoT race, though, that often doesn’t happen. Many Internet of Things (IoT) product developers have ignored the traumatic early history of Microsoft Windows, Android and web platforms, and expoits of IoT devices — because software updates have not been designed in — are regularly reported. Those earlier platforms have been hardened, updates have been automated, and the app discovery and installation have been made trustworthy. IoT developers need to follow their lead. Snappy, a software deployment and package management system designed and built by Canonical for the Ubuntu operating system, could be a shortcut to building a trusted IoT application. (Read More)
Leak of >1,700 Valid Passwords Could Make the IoT Mess Much Worse
Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 “Internet of things” devices and make them part of a destructive botnet.
The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security. Of those active telnet services, 1,774 remain accessible using the leaked credentials, Gevers said. In a testament to the poor state of IoT security, the 8,233 hosts use just 144 unique username-password pairs. It is likely that criminals have been using the list for months as a means to infect large numbers of devices with malware that turns them into powerful denial-of-service platforms. Still, for most of its existence, the list remained largely unnoticed, with only some 700 views. (Read More)
A Mirai Malware Vaccine to Protect Insecure IoT Devices
The hazard of unsophisticated and poorly secured Internet of Things (IoT) devices came to the front last year with the Mirai DDoS attack that involved nearly a million bots. Many of these devices remain a threat.
Researchers have posed an original solution to the problem: Use the vulnerability of these devices to inject a white worm that secures the devices. It is an epidemiological approach that creates immunity with a vaccine by exposing the immune system to a weakened form of the disease. These devices are still a threat because some cannot be fixed because they have hard-coded back doors. Other insecure devices have software or firmware vulnerabilities that cannot be fixed because product designers did not include a software updates mechanism. (Read More)