IoT vendors ignore basic security best practices, CITL research finds

[InfoSec News <alerts () infosecnews org>]

https://www.itworld.com/article/3436877/iot-vendors-ignore-basic-security-best-practices-citl-research-finds.html

By J.M. Porup
Senior Writer
CSO
September 10, 2019

Turning on compile-time security features is easy. So why aren't more IoT 
device makers doing so?

Adding flags for security features when building IoT firmware binaries would 
dramatically improve the security of IoT devices across the board. Almost no 
one is doing it, and the problem is getting worse, not better, according to new 
research from the CITL mass fuzzing project.

Cyber ITL is a non-profit Consumer Reports-style security laboratory that has 
so far automated the fuzzing of more than three million IoT firmware binaries 
released over the last 15 years. Its results are discouraging.

"It's very easy to do," CITL chief scientist Sarah Zatko tells CSO of IoT 
vendors' failure to turn on basic compile-time safety features. "There's no 
good reason not to do it, and they're just not bothering."

[...]



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_