A sharp lesson for IoT device security


Kevin Bocek, Vice President of Security Strategy for Venafi comments on Hewlett-Packard’s Smart Watch Study, which found major security flaws in top brand smartwatches.

HP’s report found that that smartwatches showed a lack of transport encryption protocols. While every device implemented encryption using SSL/TLS, 40% of devices continued to be vulnerable to known vulnerabilities such as POODLE, or still used SSL v2.

“The Internet of Things (IoT) will continue to be a frequent target for cybercriminals as its prevalence in the market increases. Security, however, appears to be an afterthought when it comes to internet enabled devices such as smartwatches,” Bocek said.

“Much like our day to day mobiles, tablets and computers, anything that connects to the internet needs to be secure in order to protect our data. SSL/TLS keys and certificates form the foundation of trust on the internet, and the prevalence of vulnerabilities and attacks on these have shown us that this problem is not going away and we must be vigilant in protecting them. The issues are only exacerbated when extended to IoT as the number of unsecured keys and certificates propagates,” he continued.

Sobering wakeup call

What does this mean to organisations who rely on these technologies? It provides a sobering wakeup call that they must 1) know where all their keys and certificates are installed; 2) have detailed information on each key (including owner, algorithm and key lengths, among others) and 3) have recovery plans in place to replace any key, certificate, or service that has been compromised and get it done within hours, not days or weeks.