Jeremy Brown, independent security researcher and speaker at 2015 ITWeb Security Summit, talks about the main cyber security concerns related to cloud devices.
When it comes to cloud devices, Brown explains, there is usually no built-in security by default, which poses a problem in most cases for consumers, who are typically non-technical, and who buy these devices and just plug them in to their networks.
"And some of the security options they do provide are at best elementary and insufficient to protect all the device's resources. There is a failure at the design level with these devices: security is just a shiny word to sell them and it's not actually being included."
But consumers are not the only ones vulnerable to cloud-related security risks, says Brown, adding companies are also not doing enough to overcome cloud device insecurity.
"Personal cloud vendors value usability and simplicity over security, which takes all the progress we've made in software security in the past 10 to 15 years back to the beginning. They, overall, do not understand the impacts of vulnerabilities in these devices and look for ways to call the bugs 'low-impact' or 'by design', when in reality these allow attackers to compromise the entire device.
"There have been various cases in which researchers resorted to full disclosure, because the vendor would either ignore reports or not take the bugs seriously enough to issue a fix for customers," Brown notes.
In terms of the type of threats associated with a lack of cloud device security, Brown says: "Well, you have to understand that 'cloud' is just a medium for backup, file-syncing and centralised storage. With personal cloud devices, you're pushing important data, such as documents, photos, videos to basically a little computer in your home or office, with a lot of valuable data.
"But due to all the design-level and implementation bugs in these devices, you must assume that at least anyone who connects to your WiFi network has access to every bit of that data as well. Even if you go through the trouble of turning on all the security options and password-protecting the device," he points out.
In his presentation at ITWeb Security Summit 2015, Brown will focus on cloud device insecurity.
Share