It’s the servers, stupid! Unlike the economy, where people comprehended the problem, it seems we are automating more and securing less. The annual Black Hat Conference, where participants see this as a challenge, and the news are serving up some prime examples.
In Las Vegas, Lucas Lundgren, a senior security consultant at IOActive, scanned away–and was able to open prison doors, gain access to alarm systems, an oil pipeline, a German train controller, pacemakers, heart monitors, and insulin pumps. These communicate with servers through an open-source messaging protocol known as MQTT used in home and industrial systems. The problem is that access to the servers is not protected through a user name and password, much less two-factor authentication. “Not only can we read the data — that’s bad enough — but we can also write to the data.” Scary when you contemplate a hospital with insulin pumps, BP monitors, and multiple surgical devices all going haywire. ZDNet
Similarly, easy hacking pickings have turned up in IoT cameras–over 175,000 inexpensive cams made by Chinese manufacturer Shenzhen Neo Electronics’ as NeoCoolCam and distributed worldwide, discovered by BitDefender. Older Amazon Echo devices can be physically tampered with and malware uploaded to be turned into listening devices, according to MWR InfoSecurity.
And Anthem gets no respect. After suffering its 2015 data breach of 80 million members–and spending $115 million to settle the lawsuit–there’s a third-party contractor, LaunchPoint Ventures, who decided that no one would notice if 18,500 patient records were sent to a home email a year ago. Actually, it was noticed after the contractor was nabbed for unrelated “identity theft-related activities” this past April. More ‘splainin’ to do to HHS, surely, after filing their July 24 report. At least it’s not an IoT breach! Healthcare Dive