Tales from Black Hat 2014: The Internet of Things Too Much for FISMA?

According to an article on www.fcw.com, “the cybersecurity vulnerabilities uncovered in a number of the Transportation Security Administration’s (TSA) electronic security and personnel management devices are part of a growing problem for federal IT managers.”

This information comes from Billy Rios, director of threat intelligence at Qualys, a security tech firm. Rios presented a paper at the Black Hat cybersecurity convention earlier this month. His paper “showed electronic backdoors, hard-coded credentials and other fundamental security flaws in a number of the TSA’s detection, management and security devices,” according to the article.

A PC Magazine article tells us that Rios found default passwords hardcoded into the scanning machines the TSA uses at its checkpoints.

Rios told FCW that the “TSA is not alone among federal agencies or private industry in its inarticulate response to the quickly evolving ‘Internet of Things,’ where a sprawl of previously unconnected devices is becoming Internet-capable.”

Rios warns there could be threats lurking in all kinds of devices, even the environmental monitoring devices that the General Services Administration is using as part of its green initiative, for example.

The procurement process of any Internet-connected devices is crucial, Rios explains. Companies need to understand what devices they’re buying, what they’re used for and how they can be accessed.

Rios says the Federal Information Security Management Act (FISMA) regulations don’t provide adequate coverage for the emerging threat of back-door cyberattacks on federal facilities.

“No document covers the root stuff. We need to understand the devices and what’s being bought,” he told FCW.


For more information and more specific examples of vulnerable devices, see the FCW article here: http://fcw.com/Articles/2014/08/15/IoT-security-concerns.aspx?Page=2
Here’s another article from IBM’s Security Intelligence you may find interesting: http://securityintelligence.com/black-hat-2014-where-the-internet-of-things-meets-reality/#.U_NHwfldWn8