First Wink bricked their smart home hubs while rolling out an updated cerficates list (in the name of good security, at least). Then Chrysler decided it wasn't a big deal that their cars could be remotely hijacked -- granted they later decided it might be a teensy problem. We knew the trifecta was in play. But who would be the third big IoT company to announce a massive security problem?

Today we find out. It's Honeywell.

honeywell security

As ThreatPost reports:

There are two separate vulnerabilities in the Tuxedo Touch: an authentication bypass bug and a cross-site request forgery flaw. The first vulnerability lets an attacker get around the authentication mechanism in the system.

"The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client authentication and redirect unauthorized users to a login page. By intercepting and dropping requests containing the stringUSERACCT=USERNAME:_,PASSWORD:_, an unauthenticated user may bypass authentication and access restricted pages," an advisory from CERT says.


Using client-side JavaScript to handle *any* stage of the authentication process is not a great idea, as it gives users (and would-be attackers) an easy place to start looking for vulnerabilities and making edits. Cross-site request forgeries are also old hat in the web world, but apparently the best practices that web admins put into place to protect their cat video websites safe haven't trickled down to the industrial Internet yet.

Hopefully that will change soon.



Add comment


Subscribe to the M2M Insider RSS feed


Looking for more articles and research? Our newest articles can always be found at M2M Insider, but there are many additional research articles in our historical articles archive.


You may also be interested in Digital Signage Insider: our blog about all things digital signage.


Questions?  Get pricing  •  Call us at (800) 989-9269 or +1 (954) 548-3300  •  Chat with us online
Copyright © 2016 WireSpring Technologies, Inc. All rights reserved. View our site map, privacy and legal info, and syndication policy.