Thin Client Security: Wise up!
Thin clients offer less features and expose less attack surface. But cleartext and proprietary protocols combined with weak security controls undermine their overall security.
Thin Clients are an obvious choice for connecting users to the Cloud. In theory, it’s a minimal attack surface. Among other things, diskless clients nicely sidestep the “data at rest” protection issues.
So why do some thin client vendors just not “get” these 3 things:
- Security people expect you to provide a secure, vendor-independent method for thin client OS updates. FTP for software updates took its place in the infosec “wall of shame” a while back. Ditto DHCP.
- Bragging that your unpublished API makes your thin client OS secure loses you so much credibility. A hint: you will want to engage a qualified 3rd party to “flex” your API in the same way an adversary would.
...with an unpublished API, Wyse Thin OS is one of the most secure operating systems on the market.
With 128MB of Flash, insecure update methods, and an “unpublished API,” I’d say that makes you a target...