API Security Weekly: Issue #26
Another GPS watch got breached, Shodan added an IoT monitoring service, and we take a look at API security best practices, webinars, and recommendations.
Join the DZone community and get the full member experience.
Join For FreeThis week, Verizon has been patching their home routers, another GPS watch got breached, Shodan added an IoT monitoring service, and we take a look at API security best practices, webinars, and recommendations.
Vulnerabilities
Verizon is urgently updating their Verizon Fios Quantum Gateway home routers. Researchers from Tenable found multiple security issues in the device’s API. For example, HTTPS was not enforced, and some API call parameters were not sanitized. This enabled attackers to sniff logins, decrypt password from its hash, perform a command injection attack, and take control of the device.
More bad news on smartwatches: Vidimensio smartwatches are vulnerable to Insecure Direct Object Reference (IDOR) attacks. Attackers can enumerate device IDs and make API calls for any of them. The vendor has been ignoring the reports, so the researcher used the vulnerability itself to send a warning on it to some of the device users: he spoofed GPS coordinates to make the mobile app spell out the word “pwned” on the location map.
It’s starting to look like inexpensive smartwatches and GPS-enabled watches quite often lack API security. For more examples, see our earlier reports on discovered vulnerabilities in issues 7, 18, and 19.
Tools
Shodan is a popular internet vulnerability scanner. Attackers and researchers have used it to discover unprotected Elasticsearch instances, Chromecast devices, printers, and more. To monetize the IoT scenario, Shodan has now launched a new Shodan Monitor service. The service alerts organizations on any of their device APIs that have been left exposed on the public Internet.
Best Practices
Five Best Practices for API Security by Twistlock’s John Odey:
- Use authentication and authorization.
- Encrypt API data.
- Implement security on the application layer.
- Whitelist allowed accesses.
- Log APIs.
Webinars
KuppingerCole has published the recording of their webinar on API security. The webinar “API Security: Separating Truth from Fiction” was led by Alexei Balaganski and Isabelle Mauny. The webinar covers, for example:
- API standards
- The scope of API security
- Tooling
- API strategy
- Practical steps.
You need to register (free) with KuppingerCole to watch the recording.
You can subscribe to this weekly API Security newsletter at https://apisecurity.io.
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments