God, I hope the wrench has access to less of the network than the employee.
It’s an IoT device.
You never trust IoT.
It should be on an isolated vlan dedicated to the wrenches that allows it connect to its storage server, only.
Putting the wrenches on a pvlan would further limit the scope of any breaches to a single wrench.
Any access to the wrench vlan/pvlan should be from a trusted management vlan. Any traversal of the firewall for this access should be logged.
Ultimately, this is a device being used by a company that requires per-bolt certification of torque. You can bet that every part of their process has an equivalent level of scrutiny, including certification of network security/auditing.
In fact, following sensible IoT network security mitigates all of the CVEs listed - because they need the attacker to have network access.
Sure, most of the CVEs are the stupidest “my-first-web-app” level of mistakes (csrf, xss, directory traversal) and shouldn’t exist. But it’s still an IoT device, and should always be treated as a black box of leaky security regardless of the manufacturer.
Best practice ≠ real world application. Based on my 10+ years in IT I’d be very unsurprised to find that the networked wrench has greater access than the person.
God, I hope the wrench has access to less of the network than the employee.
It’s an IoT device.
You never trust IoT.
It should be on an isolated vlan dedicated to the wrenches that allows it connect to its storage server, only.
Putting the wrenches on a pvlan would further limit the scope of any breaches to a single wrench.
Any access to the wrench vlan/pvlan should be from a trusted management vlan. Any traversal of the firewall for this access should be logged.
Ultimately, this is a device being used by a company that requires per-bolt certification of torque. You can bet that every part of their process has an equivalent level of scrutiny, including certification of network security/auditing.
In fact, following sensible IoT network security mitigates all of the CVEs listed - because they need the attacker to have network access.
Sure, most of the CVEs are the stupidest “my-first-web-app” level of mistakes (csrf, xss, directory traversal) and shouldn’t exist. But it’s still an IoT device, and should always be treated as a black box of leaky security regardless of the manufacturer.
Hahahahahaha!!! Does solarwinds123 sound familiar?
Best practice ≠ real world application. Based on my 10+ years in IT I’d be very unsurprised to find that the networked wrench has greater access than the person.