Changing the Course of IoT’s Future from Its Insecure Past – Paddy Harrington – ASW #297
Full Audio
View Show IndexSegments
1. Changing the Course of IoT’s Future from Its Insecure Past – Paddy Harrington – ASW #297
IoT devices are notorious for weak designs, insecure implementations, and a lifecycle that mostly ignores patching. We look at external factors that might lead to change, like the FCC's cybersecurity labeling for IoT. We explore the constraints that often influence poor security on these devices, whether those constraints are as consequential given modern appsec practices, and what the opportunities are to make these devices more secure for everyone.
Segment resources:
Announcements
Don’t lose access to the Security Weekly content you know and love - make sure that you subscribe to your favorite podcasts feeds on an alternative platform like Spotify, YouTube Music, Amazon Music, Apple Podcasts, or anywhere else you listen to podcasts! Visit securityweekly.com/subscribe to find the buttons to subscribe to each show now! We love to see your ratings and feedback so make sure to tell us what you think of the latest episodes.
Guest
Paddy is a senior analyst at Forrester advising security and risk professionals. He focuses on endpoint security on platforms ranging from desktop PCs to internet-of-things (IoT) devices. His research includes the endpoint’s impact on the security of business applications and data in light of the recent proliferation of edge devices and the evolving work environment.
Hosts
2. Apache HTTPD Vulns, Hacking IoT Speakers, Use Cases for WASM, Slack AI Leak – ASW #297
Research by Orange Tsai into Apache HTTPD's architecture reveals several vulns, NCC Group shows techniques for hacking IoT devices with Sonos speakers, finding use cases for WebAssembly, Slack's AI leaks data, DARPA wants a future of Rust, and more!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
- 1. Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! | Orange Tsai
- 2. BlackHat USA 2024 – Listen-Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap
- 3. wasmCloud on the factory floor: efficient and secure processing of high velocity machine data | CNCF
- 4. Slack AI data exfiltration from private channels via indirect prompt injection
- 5. Translating All C to Rust (TRACTOR)
- 6. Listen to the whispers: web timing attacks that actually work | PortSwigger Research
- 1. Adobe releases a mass of security updates
I'm just linking to Adobe's top-level security page, so this story won't age well - as of today, there's 11 announcements across Adobe products that were published on August 13th, and many of these announcements has a collection of vulnerabilities under it's own banner. Lots of arbitrary code execution, denial of service, memory leaks - this was either a common library was repaired, or a new tool was brought into the SDLC and found a bunch of errors that hadn't been recognized before...or maybe something else?
- 2. Security and RFID smart cards…
This paper goes through a collection of issues in RFID cards that includes an encrypted backdoor, which once broken results in being able to easily clone the cards at scale.
We think of depending on hardware things like smart cards as a reliable security factor - it's just a benign card, right?
- 3. MakeShift: A Security Analysis of Shimano wireless bike shifters
We've talked a few times about not just the IOT devices in your car, but the network of these devices. Networks have come to some higher-end bicycles over the last few years as well, including Shimano's Di2 gear shifting system. Among the issues they found an ability to jam another cyclist's shifting system - one could call such a capability "problematic" in a bike race, not alone day-to-day...
