Known Security Vulnerabilities Are a Hacker's Guide to an IoT Breach

The Internet of Things is a powerful trend, but its growth could be hindered by unpatched open-source vulnerabilities.
By Tae Jin (TJ) Kang

They Hide in the Code
The known security vulnerabilities hide in the code used by organizations. Consequently, users do not know that within their code rest security threats, awaiting hacker attacks. So how are these known vulnerabilities able to hide in and pervade applications, platforms and devices that leverage open-source?

Newer versions of OSS components are available without security vulnerabilities. The challenge for OEMs and software-development teams is to accurately and effectively track all open-source software components in their internally developed and externally sourced code—a nearly impossible task.

Such difficulty is partly due to the software development and procurement model. It is also attributable to the fact that development teams often receive third-party software in binary format.

First Scan the Binary for Known Security Vulnerabilities, Then Look for Logic or Programming Errors
Static code analyzers deliver great value at different times in the development process. Whether they are examining source code or disassembled binary code, static code analyzers can help find common programing errors.

Nevertheless, scanning binary code for known security vulnerabilities has the greatest potential for reducing the vast majority of hacking incidents. For some time, development and quality-assurance teams have employed checksum and hash-based binary code scanners. While they have been reasonably effective, the tools have been constrained by limited databases of pre-compiled binaries of the most commonly used open-source components.

At present, development, security and software provisioning teams can leverage binary code scanners that use code fingerprinting. The tools extract "fingerprints" from a binary to be examined, and then compare them to the fingerprints collected from open-source components hosted in well-known, open-source repositories. Once a component and its version are identified through this fingerprint matching, development and security teams can easily find known security vulnerabilities associated with the component from vulnerability databases, such as NVD.

The IoT is a powerful trend. Yet its growth could be hindered by unpatched open-source security vulnerabilities, which offer hackers opportunities to easily impair brands and generate potentially significant corporate losses. By leveraging binary code scanners, OEMs and MSPs, as well as IT, development and security teams, can implement the optimal means to find and shut down IoT device and network security vulnerabilities, reducing the possibility of hacker attacks.

Tae Jin (TJ) Kang is a technology industry executive and entrepreneur. He is the president and CEO of Insignary. In addition to founding a number of successful technology startups, TJ has held senior management positions with several global technology leaders, including Korea Telecom and Samsung Electronics, among others.

JOIN THE CONVERSATION ON TWITTER
Loading
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations