More Internet of Things Insecurity

Another week, another exposure of billions of records of sensitive data.  The integrity of Internet of Things-based (IoT) cybersecurity has always been a major concern since its proliferation in recent years; Palo Alto Networks reports that even now, 57% of IoT devices have insufficient security, and 98% of device data is unencrypted.  In direct consequence of these missteps, now 2.7 billion records have been compromised in an IoT mega breach, including user data like passwords, IP addresses, and Wi-Fi network names.

Security was lacking in this unprotected database, which was publicly accessible with neither password protection or encryption, and 1.17 terabytes worth of IoT device logs, monitoring records and error reports were put at risk.  The firms in question, China-based Mars Hydro, developers of the Mars Pro app, and LG-LED SOLUTIONS LIMITED out of California, were notified of the vulnerability by a security researcher and quickly restricted database access.

Unfortunately, this reactive stance from companies underscores the critical weaknesses still at play in IoT data security.  When a database is publicly exposed for any length of time, an organization runs the risk of network infiltration, ransomware or botnet deployment for DDoS attacks, among others.  Further threats were specific to these companies in the agricultural industry, with corruption of utilities putting crops in danger.

Cyber Security News raises the question of third-party culpability in this incident, which LG-LED has not commented on.  According to Ponemon Institute research, 47% of organizations in the last year experienced a cyberattack that involved a third-party, with respondents not optimistic about the problem’s mitigation in future.  Not when third-party remote access has become such a prominent attack surface.  Many respondents claimed insufficient resources, budget or strategy as additional factors in this persistent problem.  Further coupled with unchanged default passwords and poor encryption practices, it’s no wonder that data security is on everybody’s minds.

Of course, leaving sensitive data in unhashed plaintext is just asking for trouble, especially when remediation is so relatively simple.  NetLib Security’s Encryptionizer solution provides transparent encryption of stored data across all environments, physical, virtual and cloud.  Insecure devices with integrated network access provide an unnecessarily smooth avenue for cyber criminals, and Encryptionizer helps device manufacturers encrypt the data on new devices without any changes to program code, and virtually no impact on performance. 

Request a free evaluation here.