A software product’s code-base grows over time with added functionality resulting in the use of potentially numerous new 3rd party libraries. Some of these libraries are well-maintained by commercial organizations and some are maintained by communities of open source developers. Over time, it is easy for a development team to lose track of these software components, resulting in gaps in visibility into component vulnerabilities. This can have an impact on the security of the product and introduce un-needed risk into end-user customer organizations.
On May 16, 2018 The U.S. Consumer Product Safety Commission conducted a public hearing to receive information from all interested parties about potential safety issues and hazards associated with internet-connected consumer products. VDOO’s written response is below.
The major botnet variants seen over the last few years have been enabled primarily by a lack of basic security engineering practices applied to consumer IoT devices. BASHLITE, Mirai, Remaiten and Linux.Darlloz all relied at least partially on dictionary attacks that took advantage of well-known default username/password combinations to compromise devices.