Issue 120: Video doorbells security flaws, intro to JWT attacks, security zines

Research teams from Florida Tech and NCC Group have, independently of each other, looked into the security of inexpensive video doorbells and security cameras. These devices are sold at Walmart, Amazon, Home Depot, Best Buy, to mention but a few.

The researchers concluded that most of the cheap devices on the market come from a handful of Chinese manufacturers (ODMs), using standard generic design and components. This also means that issues found in one model are replicated in others.

The devices they looked at had multiple serious security issues, including built-in backdoors. Some of the found issues were API-related, too:

• Communications are not encrypted.
• Backend APIs are not protected with authentication.
• There are REST APIs on cameras with hard-coded credentials.

You can find a quick summary of both research efforts in the GadgetGuy. For more details, see the full reports (links above).

In the world of microservice-based applications, every component is an API. As such, API security in the Kubernetes world is a lot more relevant than in the world of traditional applications.

Next Thursday, February 18th at 8 AM PST / 11 AM EST, Isabelle Mauny (42Crunch) gives a webinar on this exact topic.

For more details and to register, click here.

If you find the world of JSON Web Token (JWT) security hard, check out this quick introductory video by Farah Hawaa:

Security zines by Rohit Sehgal are fun, easy-to-grasp, comics-style explanations of web and API security.

The first one he has published explains some common authentication and authorization concepts:

• Basic
• Session-based
• Token-based
• JWT
• OAuth

For example, here he is covering the OAuth Authorization Code grant:

DZone has nominated this newsletter (which they also republished) for their 2020 Contributor Awards.

If you have a minute and want to support us, please cast your vote here. This will help us further spread the word of API security.