The U.S. can pass all the IoT security legislation it wants to. The problem, which is most unfortunate, is that many IoT manufacturers and equipment makers operate overseas. This allows them to circumvent many of these regulatory requirements. Hundreds of these vendors are presently embedding the same software and firmware in their IoT products. This is enabling a multitude of unchecked security bugs to find their way into numerous IoT devices. The article that follows describes in detail what is happening in this regard, and how.
This week’s news that over two million IoT devices are vulnerable to attack gets to the heart of the problem with IoT: a polluted and unaccountable supply chain.
The devices are vulnerable thanks to a significant bug in software that they share, warned cybersecurity researcher Paul Marrapese. He detailed the flaw on a dedicated site after getting no response from the vendors responsible.
One promise of IoT devices is that you can connect to them from wherever you are. You might want to check on a home security camera while on holiday, for example. With traditional network home devices, you have to use something like port forwarding on your home router to reach them.
Instead, peer-to-peer (P2P) technology lets you connect to them using a unique serial number. P2P is a technology feature in many connected devices that lets you find and connect to them online without any extra configuration.
The problem lies in an insecure version of P2P software called iLnkP2P, explained Marrapese. Hundreds of different IoT vendors use this software, made by Shenzhen Yunni Technology Company, Inc.