Wednesday, May 31, 2023

Cracking the Connected Floor

Analytics and Cybersecurity 


By Dominic Alvieri
May 23rd, 2023



This KPI Isn't Pointing in the Right Direction

Fortune 500 companies are expanding their attack surfaces in a new data analytics push.

Cybersecurity takes a back seat for data analytics in a manufacturing executives dream which is turning out to be a security nightmare. It's called the connected shop floor and in this current version isn't going to end well. Corporate executives are unintentionally and unnecessarily exposing themselves to unnecessary risks. 

"This is largely driven by connecting machines using IoT and enabling Ai to digitize the results"

Apple iPads and Microsoft Bi along with several outsourced apps and technologies are involved.




100's of new endpoints and unrestricted devices 


All employees who have access to these new IoT devices running the backbone of this technological shop floor had open browser access and email capabilities. Personal emails as well as corporate and a host of new apps and software.

Oops, an employee just clicked on one of their personal emails and got phished.

Before drilling deeper into the technologies and possible exploits available for a starter there are hundreds of new IoT devices with an unrestricted browser able to view porn, YouTube or TikTok videos. A small time phisherman with a low grade infostealer may unknowingly get access to a Fortune 500 company employee and not even know it. 





The good news

Executives are starting to learn about cybersecurity. The bad news? They are slow and stubborn.

Here is a no brainer-restricting employee browser access.



App Avalanche


Once again executives are slow in embracing cybersecurity. They need the numbers to crunch to squeeze every last ounce of shareholder value that you can. Security often takes a back seat.

"Cybersecurity does not add revenue" one executive told me on the condition of anonymity. 






Exploitable


Querying one of the apps being used in one version of the connected floor returned an interesting response resulting in an error in my SQL syntax. Input sanitation issues are red flags indicating injection flaw exploits. 

Obviously I am unable to mention the firm or app until the issue is resolved. 

There are other exploitable alleys in this project.


The Deeper I Drill...

I have not received  any responses to my questions regarding the above mentioned security issues along with an uncovered topic. 


I am offensive in nature even in a defensive posture.
...

There are more holes in the floor.




at No comments:
Labels: , , , , , , , , , , ,
Subscribe to: Posts (Atom)

Typosquatting with Mikhail

The Infrastructure Boss by Dominic Alvieri April 10th, 2024 @AlvieriD What does a former Boris Yeltsin era Defense Minister for the Russian ...