IoT Cloud Vulnerability

Because remote access and management of a home’s IoT devices and controls rely on cloud, Symantec argues that there is a risk of a man-in-the-middle attack against an IoT firmware update.
 
“Unfortunately, some of the tested devices do not verify if the certificate is trusted and belongs to the vendor at all−they approve of the connection as long as it’s done over HTTPS. To make matters worse, none of the tested devices perform a mutual SSL authentication, where both sides authenticate with one another instead of just the server authenticating with the client. Most devices completely ignore certificate revocation lists, allowing an attacker to use keys that were obtained through a data breach without any problem,” Symantec reported.