Research
Misconfiguration in telecom router leaks 30,000 patient data
Misconfiguration in telecom router leaks 30,000 patient data
Lorem Ipsum
Lorem ipsum
TablE of contents

READY TO UPGRADE YOUR RISK MANAGEMENT?

Make cybersecurity and compliance efficient and effective with ONEKEY.

Book a Demo
Comment by Rainer Richter, Director Channels, SEC Technologies "The Internet of Things is a curse and a blessing at the same time: while networked devices are streamlining our lives and opening up new lucrative business opportunities for businesses, the impact of increased connectivity on our physical and digital security is far worse. The number of IoT devices is constantly increasing, and so are the risks of misuse, data theft, or dangerous manipulation. One does not even need a lot of hacking skills. If you want to cause a serious data protection incident, just take a conventional telecom router with a simple misconfiguration. While this might sound like a fake news, this happened in a Lower Saxon doctor's office, quite recently. Their 30,000 sensitive patient and employee data were freely accessible to anyone on the Internet via a Windows server. A true disaster, not only in the eyes of the GDPR. Who was to blame for this mishap? A simple inadequate configuration of the ports. As investigations revealed, the business router didn't just open standard port 433 when releasing the service "HTTPS", but some ten access ports from the Internet. A small mistake that could and did result in serious consequences for the end-user. The incident is a perfect example of the state of our current IoT security. More than 90% of IoT firmware files show critical vulnerabilities, as demonstrated by a review of the IoT Inspector firmware analysis platform. In addition to misconfigurations, the main issues range from hard-coded passwords in the firmware file system, hidden standard user credentials or SSH host keys... be it on network cameras or state-of-the-art children's toys. Manufacturers of IoT devices need a quick development cycle and a fast time-to-market. This leaves almost no room for adequately checking any product for potential security breaches even if such security issues are taken seriously. This is risky because dealing with the aftermath and its consequences - for example, in tens of thousands of IoT components used worldwide - is likely to cost you more than an early analysis and possible resolution before rollout. Keep in mind: Prevention is always better than looking for a cure. Companies and service providers are strongly advised to take the lead and to look for vulnerabilities in devices used. To avoid any further nasty surprises, the firmware on new IoT device needs to be checked for vulnerabilities even before it is in use. There is no other preventive measure to take as doing so will ensure the necessary measures in terms of protection are taken, at the right time."
Share

About Onekey

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

CONTACT:
Sara Fortmann

Marketing Manager
sara.fortmann@onekey.com

euromarcom public relations GmbH
+49 611 973 150
team@euromarcom.de

RELATED RESEARCH ARTICLES

The X in XFTP Stands For eXecute
Security Advisory: Arbitrary Command Execution on TP-Link Archer C5400X
Security Advisory: Remote Code Execution in Ligowave Devices

Ready to automate your Product Cybersecurity & Compliance?

Make cybersecurity and compliance efficient and effective with ONEKEY.