Pwning All the IoT (M11c)
Mobile app security is often the weak spot in the Internet of Things. A specific issue we find time and again are Insecure Direct Object References (IDORs) in the APIs used to control IoT devices. An IDOR is an access control vulnerability that sees the application surrender user-supplied input to access objects, meaning there are no checks in place to prevent one user authenticating another, in this case the attacker. We explore why IDORs are becoming a major issue and sharerecent research into IDORs before suggesting some best practice advice.
We’ll reveal how we found IDORs on:
45 million smart watches and trackers
Two million firewalls
Five million car alarms
A cloud management platform affecting 10,000 users
A few hundred thousand wireless access points
And a parking clamp.