Alex Useche, senior appsec consultant at nVisium said he’s seen many instances where IoT devices communicate with unauthenticated API services, opening critical vulnerabilities that are easy to exploit.

“Even when authentication takes place, the process often relies on easily discovered tokens stored in the device,” Useche said. “In those cases, it’s merely a matter of discovering the URLs for the API endpoints by capturing network traffic or extracting software directly from the device. This type of problem highlights the need to include security in the initial design of IoT products, which often consists of multiple components and, as a result, numerous teams.”

Read entire article here