{"id":7675,"date":"2017-05-17T08:41:34","date_gmt":"2017-05-17T16:41:34","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/17\/news-1460\/"},"modified":"2017-05-17T08:41:34","modified_gmt":"2017-05-17T16:41:34","slug":"news-1460","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/05\/17\/news-1460\/","title":{"rendered":"Zero Patch IoT Environment"},"content":{"rendered":"<p><strong>Credit to Author: Axelle Apvrille| Date: Wed, 17 May 2017 09:28:10 -0700<\/strong><\/p>\n<div class=\"entry\">\n<p>Over the last few months or years I have reported vulnerabilities on several IoT devices.&nbsp;<strong>None<\/strong>&nbsp;have been patched so far, and I think it is time to discuss the situation openly.<\/p>\n<p>One of the issues I have faced several times is the&nbsp;<strong>zero-security-culture<\/strong>&nbsp;phenomenon. Some of those IoT companies were typically very small and young, with sadly neither the skills nor the resources to fix security issues.<\/p>\n<p>For example, I remember sending several vulnerabilities to a given company. I got an automated response for the first email (ok), but then no answer for the next ones (strange). Of course, I re-sent it and even tried other email recipients: no response. I finally found out that their only action to my first vulnerability report had been&#8230; guess? &#8230; to&nbsp;<strong>black list my email<\/strong>&nbsp;because they had mistaken the vulnerability report for spam. See the screenshot below, where I tried to submit a request online, which highlights the problem: &quot;requester is suspended&quot;!<\/p>\n<p><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/0patch1.png\" style=\"width: 586px; height: 575px;\" \/><\/p>\n<p>So, how do you get in touch when your email has been blacklisted?<\/p>\n<p>Of course, you can try another email, but that will only result in getting that other email blacklisted too. After several attempts, I had the idea to&nbsp;<strong>ask them for a quote<\/strong>&nbsp;(there&#39;s an online form for that) to &quot;bait&quot; them. I got an answer in less than 24 hours! The difference of speed in handling a request for a quote compared to a request for support speaks for itself \ud83d\ude41<\/p>\n<p>So, finally, we managed to get in touch and I explained the vulnerabilities. The answer was it would be fixed&nbsp;<em>&quot;soon,&quot;<\/em> with the &quot;amusing&quot; claim that the vulnerability I found would only be possible on&nbsp;<em>my account, because my account was &quot;special&quot; and that others would be handled differently<\/em>&nbsp;(lol).&nbsp;<strong>We inquired (months ago) when&nbsp;<em>&quot;soon&quot;<\/em>&nbsp;would be and haven&#39;t received any answer so far<\/strong>.<\/p>\n<p>But&#8230; what did I notice a few weeks ago? &#8230; That&nbsp;<strong>my account has been closed<\/strong>&nbsp;(without any warning or notification). That&#39;s a great patch, isn&#39;t it? \ud83d\ude41 If you close the accounts of security researchers, you don&#39;t get any security vulnerability reports, which means your product is secure, right?<\/p>\n<p><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/0patch2.png\" style=\"width: 553px; height: 532px;\" \/><\/p>\n<p>I wish I could say that my experience here was unique. But it wasn&rsquo;t. I can&#39;t conclude anything except that&nbsp;<strong>IoT will remain unsecure if there is no will to secure it<\/strong>.<\/p>\n<p>&#8212; A frustrated Crypto Girl \ud83d\ude09<\/p>\n<\/div<br \/><a href=\"http:\/\/blog.fortinet.com\/2017\/05\/17\/zero-patch-iot-environment\" target=\"bwo\" >https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/0patch1.png\"\/><\/p>\n<p><strong>Credit to Author: Axelle Apvrille| Date: Wed, 17 May 2017 09:28:10 -0700<\/strong><\/p>\n<p>Over the last few months or years I have reported vulnerabilities on several IoT devices.\u00a0None\u00a0have been patched so far, and I think it is time to discuss the situation openly.    One of the issues I have faced several times is the\u00a0zero-security-culture\u00a0phenomenon. Some of those IoT companies were typically very small and young, with sadly neither the skills nor the resources to fix security issues.    For example, I remember sending several vulnerabilities to a given company. I got an automated response for the first email (ok),&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-7675","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7675","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7675"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7675\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7675"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7675"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}