New research revealing the Ripple20 bugs that impact hundreds of millions of IoT device – from printers to insulin pumps to power grids – underscores the need to put pressure on device manufacturers to take security more seriously.
“This is the issue that takes the cake. Dahua was hardcoding all of their major OEMs “cloud” DES/3DES keys in their executable that was being distributed. Just shameful. At least let the OEMs choose their own password and secure it themselves? I cannot think of a legitmate reason to do this,” commented Peter Eacmen, CTO & co-founder of ReFirm Labs.
Researchers at the Maryland-based cybersecurity firm ReFirm Labs said in 2017 that they had discovered a hidden “back door” in Dahua cameras that had been used to send data secretly to a Chinese network.
With Gartner projecting 5.8 billion IoT endpoints in use this year, Palo Alto Networks research indicates that 57% of IoT devices are vulnerable to attack. These findings should come as a bleak warning that, as millions and millions of Americans are working remotely during the COVID-19 pandemic and relying wholly on their home networks and personal devices, IoT security is now more critical than ever.
Ventilators and respirators, on the front line against the respiratory symptoms often deadly for coronavirus patients, may seem like natural points of vulnerability for medical organizations, but the real threats come from the flood of high-tech IoT medical equipment that must be integrated into a network and properly secured from attack. Co-founder Terry Dunlap sets the record straight on ventilator hacks.
“The act prohibits the use of federal subsidies made available through programs administered by the FCC [Federal Communications Commission] from being used to do business with any entity on the list of suspected communications equipment providers,” said Terry Dunlap, CSO and co-founder of ReFirm Labs, a security tech and services firm, and a former global network vulnerability analyst at the National Security Agency.
“Sen. Warner hits the nail precisely on the head – IoT manufacturers and wifi/telecom vendors need to make a much greater effort to ensure their devices and networks are secure,” Terry Dunlap, a former NSA offensive cyber operator and co-founder and chief strategy officer of ReFirm Labs, told SecurityWeek.
Experts say the cost of embracing Huawei is too great. “It’s important to note that Huawei gets its foot in the proverbial door via very attractive pricing that is the result of subsidization by the Chinese government,” said Terry Dunlap, a former cyberoperator at the U.S. National Security Agency and co-founder of the cybersecurity firm ReFirm Labs.
“Their strategy is long-term, slowly over time adding more and more pieces of communications gear until the eventual switching costs you would face from a non-subsidized replacement option become huge,” he said. “We cannot be penny wise and pound foolish. There’s too much at stake.”
One of the experts who has helped find what appear to be deliberate backdoors in Huawei firmware agreed with Sasse. “As a former intelligence official, I would agree with Ben Sasse that we and our Five Eyes partners should not cozy up to China in order to save a few pennies,” said Terry Dunlap, a former NSA hacker and co-founder on cybersecurity firm ReFirm Labs.
Dark Reading takes a deep-dive look into the world of IoT security as IoT brings every aspect of our lives online. Phones, watches, printers, thermostats, lightbulbs, cameras, and refrigerators are only a handful of devices connecting to home and enterprise networks. This web of products is seemingly intended to make everyday tasks more convenient; unfortunately, their weak security gives attackers an easy route in.