Issue 75: 98% of IoT traffic unencrypted, API DevSecOps in Azure Pipelines


This week, the state of security in Zyxel’s management console as well as in the field of IoT leaves room for improvement.

Meanwhile, on the presentation front, we have an upcoming webinar on API DevSecOps in Azure Pipelines, and recordings from BSides SF 2020 are out.

Vulnerability: Zyxel Cloud CNM SecuManager

Pierre Kim and Alexandre Torres have reported 16 critical, unpatched security vulnerabilities with Zyxel Cloud CNM SecuManager network management software. This product provides an integrated console for monitoring and managing Zyxel security gateways, so you would assume it to be secure as well

Some of the vulnerabilities Kim and Torres found include API vulnerabilities, such as hardcoded API secrets and keys (OWASP API2:2019 โ€” Broken user authentication), and backdoor administrative APIs (OWASP API5:2019 โ€” Broken function level authorization).

According to Kim and Torres:

“The attack surface is very large and many different stacks are being used making it very interesting. Furthermore, some daemons are running as root and are reachable from the WAN. Also, there is no firewall by default.”

There is no patch or vendor reaction, so the recommendation is to stop using the product.

Research: The poor state of IoT security

IoT continues to heavily rely on devices being in a “safe” network. For example, among other issues, the 2020 Unit 42 IoT Threat Report by Palo Alto Networks found that 98% of all IoT device traffic is not even encrypted.

For their report, Unit 42 analyzed 1.2 million IoT devices across enterprise IT and healthcare organizations in the United States to identify the top IoT threats and provide recommendations how to mitigate them. This means that the report gives a very good impression of the lay of the land in IoT.

Since APIs are an integral part of the IoT world, the report is very valuable from the API security perspective.

Webinar: API DevSecOps with Azure DevOps

Are you doing DevSecOps on Azure Pipelines and developing REST APIs? Next Wednesday, March 25, Steven Murawski (Microsoft Azure) and Isabelle Mauny (42Crunch) are giving a webinar on that exact topic. Click here to reserve your spot and find out how you can automate API security analysis right in your Azure CI/CD pipeline.

Videos: The GCP Metadata API

The recording of the session “The GCP Metadata API” by Dylan Ayrey and Allison Donovan from the BSides San Francisco 2020 conference is now available.

Ayrey and Donovan look into what cloud (AWS & GCP) metadata APIs are and why they are so powerful, go through sample attacks, and how vendors and users can protect their systems.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy