#CyberFLASH: Security still not tough enough in IoT

Internet-300x300

Every vendor’s got a piece of the Internet of Things, including Wilson Sporting Goods, which on Monday revealed a Bluetooth-enabled football that captures data about the ball’s performance in the air and relays it to a smart phone app.

But also on Monday a security researcher at Trustwave SpiderLabs blogged about a vulnerability he found in a Trane smart thermostat he bought last December as part of a new furnace from manufacturer Trane.

Username and password credentials on the Wi-Fi Comfortlink XL850 thermostat were hard-coded into the firmware and couldn’t be changed. It also held open a TCP port. Combined, an attacker could get remote access to the device and not only do harmless things like change the home’s temperature, but also gain access to chat and alarm history, active socket connections, trusted URLs, secret IDs, detailed address and installer information.

Among other things an attacker also might be able to figure out when someone wasn’t home.

In addition, Trustwave found a lot of the source code for the thermostat’s Nexia mobile platform could be found on Github, the public exchange for developers, which included sensitive information about the software including encryption keys, credentials and others.

Almost as bad is that it took Trustwave about two months to find someone at Trane who it could notify about the problem and have it fixed.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.