First Wink bricked their smart home hubs while rolling out an updated cerficates list (in the name of good security, at least). Then Chrysler decided it wasn't a big deal that their cars could be remotely hijacked -- granted they later decided it might be a teensy problem. We knew the trifecta was in play. But who would be the third big IoT company to announce a massive security problem?
Today we find out. It's Honeywell.
As ThreatPost reports:
There are two separate vulnerabilities in the Tuxedo Touch: an authentication bypass bug and a cross-site request forgery flaw. The first vulnerability lets an attacker get around the authentication mechanism in the system.
"The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client authentication and redirect unauthorized users to a login page. By intercepting and dropping requests containing the stringUSERACCT=USERNAME:_,PASSWORD:_, an unauthenticated user may bypass authentication and access restricted pages," an advisory from CERT says.
Using client-side JavaScript to handle *any* stage of the authentication process is not a great idea, as it gives users (and would-be attackers) an easy place to start looking for vulnerabilities and making edits. Cross-site request forgeries are also old hat in the web world, but apparently the best practices that web admins put into place to protect their cat video websites safe haven't trickled down to the industrial Internet yet.
Hopefully that will change soon.
I was answering a question on Quora about startups and the Internet of Things when I felt a strong jolt of deja vu. The Quora user in question had asked (aloud) whether it was worth signing on with an IoT startup and hoping it would get bought out, or whether the golden age of the quick sale had already passed for the industry. I immediately thought back to an article I wrote way back in January 2011 on the Tipping Point and Hype Cycle for Digital Signage, which studied basically the same question but with a focus on digital signage. At the time I was using this image from Gartner group (an expert on industry hype cycles, especially when it comes to creating them):
Today the digital signage industry is mature. There's still plenty of hype, but many fewer people who buy into it. The same cannot be said for the Internet of Things, though. As I noted in Quora,
Any time we see a new industry emerge there's a huge surge of startup activity. As the industry mature and expectations collide with reality, that initial surge slows down and a more moderate rate of startup creation takes over.
Helping me illustrate the point this time around is Y-Combinator's Paul Graham, who came up with a new riff on Gartner's hype cycle diagram:
We're probably somewhere in the early stages of the "wearing off of novelty" stage with regard to the IoT industry right now, though there are many people adamant that we've not yet reached the peak of the TechCrunch of Initiation. Unless you're looking to sell your company right now, though, it hardly seems to matter, as two things are clear: first, there's a lot of growth left in the IoT industry, even if its effects aren't as revolutionary as heralded; second, whether we're still in the heady early days or the novelty is staring to wear off, we may still have to look forward to the Trough of Sorrow.
The industry's busy, and so am I. Here are some good reads I didn't have time to write about, but certainly merit some attention: