https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,645 Comments
Tomi Engdahl says:
Microsoft Warns of Boa Web Server Risks After Hackers Target It in Power Grid Attacks
https://www.securityweek.com/microsoft-warns-boa-web-server-risks-after-hackers-target-it-power-grid-attacks
Microsoft is warning organizations about the risks associated with the discontinued Boa web server after vulnerabilities affecting the software were apparently exploited by threat actors in an operation aimed at the energy sector.
In 2021, threat intelligence company Recorded Future reported seeing a Chinese threat group targeting operational assets within India’s power grid. In April 2022, the cybersecurity firm published a new report describing attacks launched by a different Chinese state-sponsored threat actor against organizations in India’s power sector.
Targets included several State Load Despatch Centres (SLDCs) responsible for carrying out grid control and electricity dispatch operations. These SLDCs maintain grid frequency and stability through access to supervisory control and data acquisition (SCADA) systems.
Tomi Engdahl says:
Nicholas Sutrich / Android Central:
A security researcher says Anker’s Eufy security cameras sent images to the cloud without user consent and could be accessed without authentication — Allegedly, Eufy cameras aren’t as secure as they claim. — What you need to know — Security researcher Paul Moore has discovered several security flaws in Eufy’s cameras.
Security researcher says Eufy has a big security problem
By Nicholas Sutrich
published about 13 hours ago
Allegedly, Eufy cameras aren’t as secure as they claim.
https://www.androidcentral.com/accessories/smart-home/security-researcher-says-eufy-has-a-big-security-problem
What you need to know
Security researcher Paul Moore has discovered several security flaws in Eufy’s cameras.
User images and facial recognition data are being sent to the cloud without user consent, and live camera feeds can purportedly be accessed without any authentication.
Moore says some of the issues have since been patched but cannot verify that cloud data is being properly deleted. Moore, a U.K. resident, has taken legal action against Eufy because of a possible breach of GDPR.
Eufy support has confirmed some of the issues and issued an official statement on the matter saying an app update will offer clarified language.
Tomi Engdahl says:
Researchers find bugs allowing access, remote control of cars https://therecord.media/researchers-find-bugs-allowing-access-remote-control-of-cars/
Several major car brands have addressed vulnerabilities that would have allowed hackers to remotely control the locks, engine, horn, headlights, and trunk of certain cars made after 2012, according to a security researcher. Yuga Labs staff security engineer Sam Curry published two threads on Twitter detailing his research into the mobile apps for several car brands that give customers the ability to remotely start, stop, lock and unlock their vehicles. Curry and several other researchers started with Hyundai and Genesis, finding that much of the verification process for getting access to a vehicle relied on registered email addresses. They found a way to bypass the email verification feature and gain full control.
Tomi Engdahl says:
Several Car Brands Exposed to Hacking by Flaw in Sirius XM Connected Vehicle Service
https://www.securityweek.com/several-car-brands-exposed-hacking-flaw-sirius-xm-connected-vehicle-service
Cybersecurity researchers discovered that several car brands were exposed to remote hacker attacks due to a vulnerability in a connected vehicle service provided by Sirius XM.
Sirius XM claims on its website that its connected services are used by more than 12 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota cars.
Researcher Sam Curry on Wednesday described a recent car hacking project targeting Sirius XM, which he and his team learned about when looking for a telematic solution shared by multiple car brands.
An analysis led to the discovery of a domain used when enrolling vehicles in the Sirius XM remote management functionality, Curry said in a Twitter thread.
Tomi Engdahl says:
Eufy’s camera footage is stored locally, but with the right URL, you can also watch it from anywhere, unencrypted. It’s complicated.
Eufy’s “local storage” cameras can be streamed from anywhere, unencrypted
https://arstechnica.com/gadgets/2022/12/more-eufy-camera-flaws-found-including-remote-unencrypted-feed-viewing/?utm_medium=social&utm_social-type=owned&utm_source=facebook&utm_brand=ars
The URLs for accessing your camera streams are also way too easy to brute-force.
Tomi Engdahl says:
Muistutus, että ei kannata ostaa halpoja valvontakamerasysteemejä vaan kunnollinen, joka tallentaa tallenteet paikallisesti ja toimii pilvettä.
Suomessakin myytävissä kodin valvontakameroissa hävyttömän huono tietoturva: salatuksi väitetty video on verkossa katseltavissa tutulla sovelluksella
https://www.tivi.fi/uutiset/suomessakin-myytavissa-kodin-valvontakameroissa-havyttoman-huono-tietoturva-salatuksi-vaitetty-video-on-verkossa-katseltavissa-tutulla-sovelluksella/9bf33ce7-2354-48a3-89e9-7ca3f21d7444
Anker markkinoi älykameroitaan turvallisina, mutta totuus näyttää olevan toinen.
Laadukkaaksi laitevalmistajaksi mielletyn Ankerin Eufy-sarjan valvontakameroissa on ilmennyt todella hälyttävä tietoturva- ja tietosuojaongelma. Eufy-kameroita myydään myös Suomessa.
Anker mainostaa, että kameroiden kuvaama materiaali pysyy paikallisesti käyttäjällä, ja että käyttäjän puhelimeen lähetettävä suora videolähetys on päästä päähän salattu, eikä sivullisilla ole siihen pääsyä. Totuus on kuitenkin toinen, uutisoi The Verge.
Anker’s Eufy lied to us about the security of its security cameras / Despite claims of only using local storage with its security cameras, Eufy has been caught uploading identifiable footage to the cloud. And it’s even possible to view the camera streams using VLC.
https://www.theverge.com/2022/11/30/23486753/anker-eufy-security-camera-cloud-private-encryption-authentication-storage
Tomi Engdahl says:
Televisiosi voi tarkkailla sinua: Tämä asetus kannattaa kytkeä heti pois https://www.is.fi/digitoday/art-2000009242759.html
Tomi Engdahl says:
Industry 4.0: CNC Machine Security Risks Part 2 https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-part-2.html
In part one, we discussed what numerical control machines do and their basic concepts. These concepts are important to understand the machines better, offering a wider view of their operations. We also laid out how we evaluated the chosen vendors for our research. For this blog, we will continue discussing our evaluated vendors and highlighting findings that we discovered during our research.
Tomi Engdahl says:
Did Brazil DSL Modem Attacks Change Device Security?
https://securityintelligence.com/articles/brazil-dsl-modem-attacks-changed-security/
- From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims computers. According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazils Computer Emergency Response Team, the attack ultimately infected more than 4.5 million DSL modems.
Tomi Engdahl says:
SiriusXM Vulnerability Lets Hackers Remotely Unlock and Start Connected Cars https://thehackernews.com/2022/12/siriusxm-vulnerability-lets-hackers.html
Cybersecurity researchers have discovered a security vulnerability that exposes cars from Honda, Nissan, Infiniti, and Acura to remote attacks through a connected vehicle service provided by SiriusXM. The issue could be exploited to unlock, start, locate, and honk any car in an unauthorized manner just by knowing the vehicle’s vehicle identification number (VIN), researcher Sam Curry said in a Twitter thread last week. SiriusXM’s Connected Vehicles (CV) Services are said to be used by more than 10 million vehicles in North America, including Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.
Tomi Engdahl says:
Tractors vs. threat actors: How to hack a farm https://www.welivesecurity.com/2022/12/05/tractors-threat-actors-how-hack-farm/
While I was in the UK police force and part of the National Cyber Crime Unit in 2018, I was asked to give a talk on cybersecurity at a National Farmers Union (NFU) meeting in southern England. Right after I started my talk, one farmer immediately raised his hand and told me that his cows had recently been hacked. Baffled and amused, I was instantly hooked and wanted to know more about his story.
Tomi Engdahl says:
Mirai Botnet and Gafgyt DDoS Team Up Against SOHO Routers
https://isc.sans.edu/diary/Mirai+Botnet+and+Gafgyt+DDoS+Team+Up+Against+SOHO+Routers/29304
Since 2014, self-replicating variants of DDoS attacks against routers and Linux-based IoT devices have been rampant. Gafgyt botnets target vulnerable IoT devices and use them to launch large-scale distributed denial-of-service attacks. SOHO and IoT devices are ubiquitous, less likely to have secure configurations or routine patches, and more likely to be at the internet edge. Attacks against these devices are less likely to be identified by enterprise monitoring techniques, and compromise may go unnoticed. Unwitting users then become part of attack propagation.
Tomi Engdahl says:
Zerobot New Go-Based Botnet Campaign Targets Multiple Vulnerabilities https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities
In November, FortiGuard Labs observed a unique botnet written in the Go language being distributed through IoT vulnerabilities. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. Based on some IPS signatures trigger count (shown in Figure 1), this campaign started its distribution of the current version sometime after mid-November.
Tomi Engdahl says:
Industry 4.0: CNC Machine Security Risks Part 3 https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-part-3.html
In this final installation of our three-part blog series, we lay out countermeasures that enterprises can do to protect their machines.
Well also discuss our responsible disclosure as well as the feedback we got from the vendors we evaluated. We found that only two of the four vendors analyzed support authentication. Neither of them has authentication enabled by default, which leaves the machines vulnerable to attacks by malicious users. Enabling authentication is essential for protecting Industry 4.0 features from abuse.
Tomi Engdahl says:
Self-Propagating ‘Zerobot’ Botnet Targeting Spring4Shell, IoT Vulnerabilities
https://www.securityweek.com/google-documents-ie-browser-zero-day-exploited-north-korean-hackers
A newly observed botnet capable of self-replicating and self-propagation is targeting multiple Internet of Things (IoT) vulnerabilities for initial access, cybersecurity solutions provider Fortinet warns.
Dubbed Zerobot, the malware is written in the Golang (Go) programming language and has several modules for self-replication, self-propagation, and for conducting attacks on different protocols.
The malware has been observed communicating with its command-and-control (C&C) server via the WebSocket protocol and targeting twelve architectures, including i386, amd64, arm64, arm, mips, mipsle, mips64, mips64le, ppc64, ppc64le, riscv64, and s390x.
To date, Fortinet has identified two variants of the botnet, one containing basic functions and used before November 24, and another that can replicate itself and target more endpoints, which has been distributed since mid-November.
The malware includes 21 exploits, including code targeting recent Spring4Shell and F5 Big-IP flaws, other known vulnerabilities, and various security defects in IoT devices such as routers, surveillance cameras, and firewalls.
https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities
Tomi Engdahl says:
Eufy “no cloud” security cameras streaming data to the cloud https://www.malwarebytes.com/blog/news/2022/12/is-your-home-security-system-storing-data-100-locally
Eufy home security cameras are currently in a spot of trouble as a result of door camera footage. This is because it turns out that data which should not have been going to the cloud was doing so anyway in certain conditions.
Tomi Engdahl says:
Video: Deep Dive on PIPEDREAM/Incontroller ICS Attack Framework
https://www.securityweek.com/video-deep-dive-pipedreamincontroller-ics-attack-framework
In this session from SecurityWeek’s 2022 ICS Cybersecurity Conference, Mark Plemmons, Sr. Director for Threat Intelligence at Dragos, dives deep into the technical details and real-world impact on the modular ICS attack framework known as PIPEDREAM/Incontroller that can be used to disrupt and/or destruct devices in industrial environments. In April 2022, a joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created this suite of specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation.
Tomi Engdahl says:
Getting Root On A Chinese IP Camera
https://hackaday.com/2022/12/12/getting-root-on-a-chinese-ip-camera/
With so many cheap network-connected devices out there being Linux-powered, it’s very tempting to try and hack into them, usually via a serial interface. This was the goal of [Andrzej Szombierski] when he purchased a cheap Chinese IP camera using an XM530 ARM-based SoC to explore and ultimately get root access on. This camera’s firmware provides the usual web interface on its network side, but it also has a UART on its PCB, courtesy of the unpopulated four-pin header.
Tomi Engdahl says:
https://hackaday.com/2022/12/12/battery-engineering-hack-chat/
Tomi Engdahl says:
Students Rebel Against Heat-Sensing Crotch Monitor Surveillance Devices
https://hackaday.com/2022/12/12/students-rebel-against-heat-sensing-crotch-monitor-surveillance-devices/
Surveillance has become a ubiquitous part of modern life. Public spaces are dotted with CCTV cameras inside and out. Recent years have seen the technology spread to the suburbs with porch cameras spreading the eye of big tech and law enforcement ever further.
Outside of mere cameras, companies are rushing to develop all manner of new devices to surveil individuals, too. One such device intended to track students quickly drew the ire of scholars at Northeastern University, and the cohort fought back.
Tomi Engdahl says:
Video: Deep Dive on PIPEDREAM/Incontroller ICS Attack Framework
https://www.securityweek.com/video-deep-dive-pipedreamincontroller-ics-attack-framework
In this session from SecurityWeek’s 2022 ICS Cybersecurity Conference, Mark Plemmons, Sr. Director for Threat Intelligence at Dragos, dives deep into the technical details and real-world impact on the modular ICS attack framework known as PIPEDREAM/Incontroller that can be used to disrupt and/or destruct devices in industrial environments. In April 2022, a joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created this suite of specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation.
Tomi Engdahl says:
How to achieve security in connected devices – visualizing the path
https://www.etteplan.com/stories/how-achieve-security-connected-devices-visualizing-path?utm_campaign=newsletter-12-2022&utm_content=newsletter&utm_medium=email&utm_source=apsis-anp-3&pe_data=D43445A477046455B45724541514B71%7C31952675
The security of your connected devices has never been more important. With the advancement of technology there is an increase in benefits and added value, and overall positive impacts. Because your device is connected it becomes more easily accessible to yourself, it also becomes more easily accessible to others. This means that hackers (malicious third parties, criminals) and other government agencies (military, critical infrastructure attacks) can also access your data more easily. That is why EU and USA are regulating the cyber security of devices, software and digital services.
Several security functionalities, such as authentication, access control, cryptography, secure updates and hardening are becoming mandatory functionalities for IoT devices sold in Europe. In order for these to be implemented, you need to select the right hardware and software components without exploitable vulnerabilities, and have a design team with the required expertise. The required security posture, and skills that are needed are all dependent on the intended use of the device and component selection.
Tomi Engdahl says:
Cybersecurity of products and entities becomes mandatory in EU soon
https://www.etteplan.com/stories/cybersecurity-products-entities-mandatory-eu?utm_campaign=newsletter-12-2022&utm_content=newsletter&utm_medium=email&utm_source=apsis-anp-3&pe_data=D43445A477046455B45724541514B71%7C31952675
Companies remain worryingly oblivious on the eve of tightening EU cybersecurity legislation. Especially for industrial equipment and consumer devices, redesign is becoming urgent. A dozen of cybersecurity directives or regulations are starting to apply over the next few years. Non-compliance with these will turn sales of existing products and digital services illegal. That’s why decision makers and product developers in both device and software sectors will now need to understand the new legislations and start preparing.
The first significant tightening of regulations concerning devices will be enforced via Radio Equipment Directive starting 1st of August 2024. It applies on devices with wireless radio communications, even wireless headsets. At that day, most of today’s wireless IoT devices become illegal to sell in EU, as they are no longer in conformance with the Directive. If a company wants to continue selling the today’s wireless IoT devices in the EU, it will have to renew the CE marking to comply with the new requirements.
The NIS2 Directive will enter into force at the end of 2024. It expands the list of entities that are essential and important for the society, to include sectors such as electrical equipment manufacturing, chemicals industry and ICT services. In principle, NIS2 will only apply to medium and large sized companies, which will be obliged to implement information security management systems. In practice, many small companies are also subject to the requirements, as the bigger companies must also require their subcontractors to have appropriate cyber security -related processes in place.
Even more far-reaching is the Cyber Resiliency Act, which will enter into force during 2025-26. It will apply to all products with a digital dimension, i.e. all devices, software and many electronic and software components. These will have to meet the new CE marking requirements for cybersecurity.
Tomi Engdahl says:
3.5m IP cameras exposed, with US in the lead https://cybernews.com/security/millions-ip-cameras-exposed/
New research by Cybernews shows an exponential rise in the uptake of internet-facing cameras. After looking at 28 of the most popular manufacturers, our research team found 3.5 million IP cameras exposed to the internet, signifying an eightfold increase since April 2021.
Tomi Engdahl says:
MTTR not a viable metric for complex software system reliability and security https://www.csoonline.com/article/3683508/mttr-not-a-viable-metric-for-complex-software-system-reliability-and-security.html
Mean time to resolve (MTTR) isnt a viable metric for measuring the reliability or security of complex software systems and should be replaced by other, more trustworthy options. Thats according to a new report from Verica which argued that the use of MTTR to gauge software network failures and outages is not appropriate, partly due to the distribution of duration data and because failures in such systems dont arrive uniformly over time. Site reliability engineering (SRE) teams and others in similar roles should therefore retire MTTR as a key metric, instead looking to other strategies including service level objectives (SLOs) and post-incident data review, the report stated.
Tomi Engdahl says:
Sean Hollister / The Verge:
Anker’s security cameras brand Eufy quietly removed 10 commitments from its privacy page, including encryption, after questions about keeping those promises
Anker’s Eufy deleted these 10 privacy promises instead of answering our questions
https://www.theverge.com/2022/12/16/23512952/anker-eufy-delete-promises-camera-privacy-encryption-authentication
/ Two weeks after getting caught lying to The Verge, Anker still hasn’t sent us any answers about its security cameras. Instead, it’s nerfed the Eufy “privacy commitment.”
Tomi Engdahl says:
A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?
Robot vacuum companies say your images are safe, but a sprawling global supply chain for data from our devices creates risk.
The data collected by robot vacuums can be particularly invasive. They have “powerful hardware, powerful sensors,” says Dennis Giese, a PhD candidate at Northeastern University who studies the security vulnerabilities of Internet of Things devices, including robot vacuums. “And they can drive around in your home—and you have no way to control that.” This is especially true, he adds, of devices with advanced cameras and artificial intelligence—like iRobot’s Roomba J7 series.
A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?
https://www.technologyreview.com/2022/12/19/1065306/roomba-irobot-robot-vacuums-artificial-intelligence-training-data-privacy/
Robot vacuum companies say your images are safe, but a sprawling global supply chain for data from our devices creates risk.
Tomi Engdahl says:
A Defense Playbook for Diffusing CCTV Cybersecurity Threats
As long as IoT and CCTV devices can be hacked, the danger is present. Here’s how to tackle threats.
https://www.spiceworks.com/it-security/cyber-risk-management/guest-article/playbook-for-diffusing-cctv-cybersecurity-threats/
In the eternal battle against cyber criminals, every technological advance comes with fresh new avenues for cybercriminals to ply their trade. Camellia Chan, CEO and founder of X-PHY, looks closely at CCTV cybersecurity threats and how vulnerabilities can be better protected.
It can be especially vexing when criminals turn our own security technologies against us, as they are doing in closed circuit television (CCTV), IoT, and other video security devices. In 2021, a hacker collective gained access to 149,000 security camera footage in their invasion of cloud video security startup Verkada’s systems. In June and September of this year, groups of Iranian dissidents hacked thousands
Opens a new window of Iranian surveillance cameras in two separate attacks, both motivated by political dissent. Hackers do not stop at making political statements. They also target smaller stakes CCTV sources to steal identities or stalk victims, targeting ATMs, residential doorbell cameras, or traffic cameras. Let’s look at the vulnerabilities of CCTV threats and how we can counter them to keep our finances, identities, and ourselves safe.
CCTVs are Everywhere, and So Are Vulnerabilities
As far as IoT and CCTV devices can be hacked, accessed, watched and acted upon, the danger is present. Hackers have easy access to home security and can monitor the coming and going causing invasion of privacy which can result to burglaries, robberies, stalking etc. Retail stores, banks, and other CCTV business breaches can lead to stolen identities, bank accounts, or credit card numbers. Cybercriminals are matching security experts in the sophisticated ‘arms race.’ Similar to how law enforcement uses CCTV footage to identify criminals, cybercriminals can do the same with stolen footage.
Today, many cameras are equipped with facial recognition technology. If cybercriminals hack into the server that stores and analyses video footage using such tech, they can gain unfettered access to your identity and any other stored data. The Verdaka hack exposed video footage of scores of businesses, including Equinox gyms, Tesla, various banks, schools, and jails. On an even larger scale, CCTVs offer another channel into which hacktivists, rival governments, and terrorists can foist potentially catastrophic threats to corporate or national security in accessing video within military bases or other institutions.
Hackers Find CCTV Security Exposures through Hardware and Software
Physical Security and Cybersecurity Teams Combine Forces to Battle CCTV Hackers
Like most cybersecurity threats, most CCTV intrusions are preventable. The rapid growth of connected devices means that it takes the whole village to secure our data. Everybody from the manufacturer to the end user and cybersecurity teams to vendors must do their part to maintain the devices’ integrity. Organizations’ physical security teams should collaborate closely with CISOs and internal cybersecurity teams to create a united and holistic front to stave off such attacks. Many criminal incursions result from preventable errors in fundamental best practices, such as not changing the factory set password upon setup, using the same password for all devices, connecting to a poorly protected network, or a lack of dynamic authentication or unencrypted video protocols to access the live stream of stored footage.
Cyber Hygiene At Home to Protect Doorbells and Security Cameras
Cameras are everywhere to protect us against crime, yet cybercriminals are using our own security programs to their advantage. At home, people with security camera systems such as Ring or SimpliSafe should practice simple cyber hygiene techniques that prevent most breaches, starting with ensuring the device they buy is from a reputable source and manufacturer. In 2021, Consumer Reports
Opens a new window found that four of the 13 video doorbells/home security cameras had vulnerabilities, exposing their owners to hacking and leaks of personal data, including email addresses and Wi-Fi passwords. Upon setting up the device, you should always change the default password, use complex passwords that are harder to crack and change the passwords regularly.
Don’t Underestimate Cybersecurity Education
The National CyberSecurity Alliance
Opens a new window (NCA) reported that in 2022, only thirty-six percent of people reported that they changed their passwords every few months, with 29% saying they do not change them unless they are forced to do so. For organizations, minimizing human interaction is key to reducing the possibility of human error in allowing hackers into the system through phishing attacks or social engineering attacks. But companies should not underestimate the necessity for cybersecurity awareness and education.
The NCA revealed that more than half (58%) of the participants who had received training said they were better at recognizing phishing messages, while 45% had started using strong and separate passwords. On the technology side, cybersecurity teams should take proactive measures to fortify hardware-based cybersecurity measures, adopting zero-trust frameworks. Additionally, they should implement regular patching, compromise assessments, red teaming, and penetration testing, in which a security expert like the one who exposed the SpaceX issue — aka an ethical hacker — is enlisted to execute a simulated attack on the CCTV system.
CISOs, Device Manufacturers, and the US Combine Efforts to Secure IoT and CCTV Cameras
CISO and individual vigilance via procedures and education can offer stout protection against threats, but the securing of IoT and CCTV devices is undoubtedly a challenging undertaking, with numerous internet-facing touchpoints of potential exposure across hardware, software, and humans.
Manufacturers also need to step up their hardware and firmware security game. The White House is working with private sector businesses, associations and government partners on a plan for a labeling system to rate the cyber resilience of Internet of Things (IoT) devices
Opens a new window which will be similar to the appliance Energy Star rating system. While it’s impossible to thwart all cyber threats, we would be foolish not to take every precaution available to make life harder for the bad actors seeking to invade our privacy.
FACT SHEET: Biden-Harris Administration Delivers on Strengthening America’s Cybersecurity
https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/11/fact-sheet-biden-harris-administration-delivers-on-strengthening-americas-cybersecurity/
Tomi Engdahl says:
The metaverse ushers in a new era of cyber threats
https://www.securitymagazine.com/articles/98571-the-metaverse-ushers-in-a-new-era-of-cyber-threats
The reality of the metaverse, where builders aim to create a shared, immersive and interactive digital world that combines virtual reality (VR) and augmented reality (AR) with avatars, digital twins and Internet of Things (IoT) devices, is only a few years away. With all the chatter about the metaverse, many are beginning to get an idea of what it might look like, but few understand the infrastructure behind its technology.
It would be unwise to assume that the cybersecurity threat landscape of Web3 will be simply a continuation of today’s common Web2 threats. The next-level complexity of hardware and software technologies that will make up the metaverse introduces countless attack surfaces and cybersecurity challenges. Here are few unique security concerns that the metaverse presents and how security leaders will need to reorient their approach to stay ahead of the next generation cyberattacker.
he metaverse’s near-infinite attack surface
The metaverse ecosystem has a wide attack surface made up of software, hardware and communication channels. Web3 will be all about greater user interaction, and that will mean more user data will be collected. Data can be acquired through AR/VR devices, sensors, cameras and other devices that are connected to the internet. Data can be stored in the metaverse in many ways, such as on servers, in databases on edge, fog or cloud-computing platforms. This is an enormous amount of potentially vulnerable user data, and cybercriminals will follow the money.
Compromised devices pose new threats
While the metaverse is still vulnerable to the same threats of today’s Web2, the nature of its immersive and interactive technology adds identity and privacy threats. Rogue or compromised end-user devices present a significant risk of data breaches and malware invasions targeting the user’s monetary assets. In the Web3 world, the user’s identity goes well beyond a character’s avatar, including their private keys for cryptocurrencies, bank details, social relationships, and even images of their digital life history. Since NFTs could soon be used for various forms of identification, from insurance policy documentation and drivers’ licenses to event tickets, the loss or modification of any of these items can could constitute identity theft.
Identity theft on a whole new level
Interacting with an avatar in Web3 requires pervasive user profiling activities using multiple dimensions and high granularity for facial expressions, eye/hand movements, speech, biometric features and even brain wave patterns. Attackers can impersonate victims in the metaverse by exploiting the behavioral and biological data gathered by AR/VR devices to create a fake avatar for criminal use. Cybercriminals can inject erroneous data into the acquisition stream generated by wearable devices and use it to launch social engineering or other malicious applications.
Getting physical with cybersecurity strategies to secure the metaverse
There are practical measures that the security industry and individuals can and should take sooner than later to get ahead of securing the metaverse. Organizations should not only have software protection in place to secure their data, but also add robust defenses on hardware devices and communication channels to protect against identity theft and physical harm. Business and tech leaders entering the Web3 space in any manner should be relentless about education and awareness, since preventing human error can help reduce cybersecurity incidents.
Tomi Engdahl says:
Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers
https://www.securityweek.com/several-dos-code-execution-vulnerabilities-found-rockwell-automation-controllers
Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.
The US Cybersecurity and Infrastructure Security Agency (CISA) last week published three advisories to describe a total of four high-severity vulnerabilities. Rockwell Automation has published individual advisories for each security hole.
One flaw is CVE-2022-3156, which impacts the Studio 5000 Logix Emulate controller emulation software. The vulnerability is caused by a misconfiguration that results in users being granted elevated permissions on certain product services. An attacker could exploit the weakness for remote code execution.
The second vulnerability is CVE-2022-3157, which affects CompactLogix, GuardLogix (including Compact), and ControlLogix controllers. An attacker can exploit the flaw to launch a denial-of-service (DoS) attack against a device by sending specially crafted CIP requests that cause a “major non-recoverable fault”.
The remaining vulnerabilities impact MicroLogix 1100 and 1400 programmable logic controllers (PLCs). One of the security holes, CVE-2022-46670, is a stored cross-site scripting (XSS) issue in the embedded webserver that can be exploited for remote code execution without authentication.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/google-home-speakers-allowed-hackers-to-snoop-on-conversations/
Tomi Engdahl says:
https://duunitori.fi/tyoelama/tyonantajan-huono-maine/?utm_source=facebook&utm_medium=falcon&utm_campaign=Duunitori&fbclid=IwAR2pDv1seiQ8GpkVoMdFbbWdq1QK_WteFO7Au2IqhTSoGu2YsZLxh9OXTa0
Tomi Engdahl says:
Researcher Uncovers Potential Wiretapping Bugs in Google Home Smart Speakers https://thehackernews.com/2022/12/researcher-uncovers-potential.html
A security researcher was awarded a bug bounty of $107,500 for identifying security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices. The flaws “allowed an attacker within wireless proximity to install a ‘backdoor’ account on the device, enabling them to send commands to it remotely over the internet, access its microphone feed, and make arbitrary HTTP requests within the victim’s LAN,” the researcher, who goes by the name Matt, disclosed in a technical write-up published this week.
Tomi Engdahl says:
Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers
https://www.securityweek.com/several-dos-code-execution-vulnerabilities-found-rockwell-automation-controllers
The US Cybersecurity and Infrastructure Security Agency (CISA) last week published three advisories to describe a total of four high-severity vulnerabilities. Rockwell Automation has published individual advisories for each security hole.
One flaw is CVE-2022-3156, which impacts the Studio 5000 Logix Emulate controller emulation software. The vulnerability is caused by a misconfiguration that results in users being granted elevated permissions on certain product services. An attacker could exploit the weakness for remote code execution.
The second vulnerability is CVE-2022-3157, which affects CompactLogix, GuardLogix (including Compact), and ControlLogix controllers. An attacker can exploit the flaw to launch a denial-of-service (DoS) attack against a device by sending specially crafted CIP requests that cause a “major non-recoverable fault”.
The remaining vulnerabilities impact MicroLogix 1100 and 1400 programmable logic controllers (PLCs). One of the security holes, CVE-2022-46670, is a stored cross-site scripting (XSS) issue in the embedded webserver that can be exploited for remote code execution without authentication.
Tomi Engdahl says:
16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure
https://www.securityweek.com/16-car-makers-and-their-vehicles-hacked-telematics-apis-infrastructure
A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car functions and start or stop the engine.
Multiple other security defects, the researchers say, allowed them to access a car maker’s internal applications and systems, leading to the exposure of personally identifiable information (PII) belonging to customers and employees, and account takeover, among others. The hacks targeted telematic systems, automotive APIs, and infrastructure.
Impacted car models include Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota. The vulnerabilities were identified over the course of 2022. Car manufacturers were informed about the security holes and they released patches.
Vehicle impact
According to the researchers, they were able to send commands to Acura, Genesis, Honda, Hyundai, Kia, Infiniti, Nissan, and Porsche vehicles.
Using only the VIN (vehicle identification number), which is typically visible on the windshield, the researchers were able to start/stop the engine, remotely lock/unlock the vehicle, flash headlights, honk vehicles, and retrieve the precise location of Acura, Honda, Kia, Infiniti, and Nissan cars.
They could also lock users out of remote vehicle management and could change car ownership.
Tomi Engdahl says:
Hack the Pentagon 3.0 Bug Bounty Program to Focus on Facility Control Systems
https://www.securityweek.com/hack-pentagon-30-bug-bounty-program-focus-facility-control-systems
The US Department of Defense (DoD) is getting ready to launch the third installment of its ‘Hack the Pentagon’ bug bounty program, which will focus on the Facility Related Controls System (FRCS) network.
According to a draft solicitation released on Friday, as part of Hack the Pentagon 3.0, DoD will rely on ethical hackers to identify vulnerabilities in FRCS.
The DoD’s FRCS includes control systems that are used to monitor and control equipment and systems related to real property facilities, such as HVAC, utilities, physical security systems, and fire and safety systems.
“The overall objective is to obtain support from a pool of innovative information security researchers via crowdsourcing for vulnerability discovery, coordination and disclosure activities and to assess the current cybersecurity posture of the FRCS network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture,” the draft reads.
Per the document, the DoD is looking to engage with a private organization that has expertise in commercial crowdsourcing, to select “a private community of skilled and trusted researchers, which may be limited to US persons only” to participate in the program.
Hack the Pentagon 3.0 CVDD
https://sam.gov/opp/be855762a82543bcba2a4eac18b7202f/view
Tomi Engdahl says:
Hacker group discloses ability to encrypt an RTU device using ransomware, industry reacts – Industrial Cyber
https://industrialcyber.co/industrial-cyber-attacks/hacker-group-discloses-ability-to-encrypt-an-rtu-device-using-ransomware-industry-reacts/
A hacker group has claimed that it has conducted a ‘first-ever’ ransomware attack against an RTU (remote terminal unit), a small device typically deployed across industrial control system (ICS) environments. The Anonymous group affiliate said that it executed GhostSec ransomware during its favorite operation ‘#OpRussia,’ and explained it ‘as only they can in support of #Ukraine.’
In its Twitter message, Anonymous Operations wrote that “Everybody knows that GhostSec has been ‘raising the bar’ since we started attacking ICS, now its time to push the hacking history even further beyond! It’s time to write our name in a new hacking game, it’s to start a new race. Everyone has obviously heard about a ransomware that attacked a Windows desktop, some server, some IoT, but we would like to announce the first RTU attacked!”
The group added that “YES! We just encrypted the first RTU in history! A small device designed only for an ICS environment! We knew, you knew, that the time sooner or later would come. Well, it has come!”
Anonymous further added that “the age of ransomware coded to attack ICS devices just became a thing, and we were the first like previously hacking the Russian trains directly! This ransomware was not intended to be very complex (it doesn’t mean that we cant code complex malware) since we just wanna encrypt and show it to the world.”
Analyzing the hacker group’s claim, researchers from industrial cybersecurity company Claroty’s research arm Team82 wrote in a Thursday blog post that GhostSec has claimed on a public Telegram group that it has been able to encrypt an industrial RTU router that features SCADA (supervisory control and data acquisition) capabilities including support for industrial serial interfaces RS-232 and RS-485 and MODBUS protocol variations.
The TELEOFIS RTU968 V2 is a new 3G router that supports wired and wireless connections of commercial and industrial facilities to the Internet.
Team82 revealed that the group claimed on Telegram that the compromised device is from Belarus, and also did not demand a ransom, instead leaving behind a lengthy message that includes the note: ‘There is no notification letter. There is no payment.’
“From public internet scans we discovered that there are 194 internet-exposed devices in Russia, Kazakhstan, Belarus, and 117 of them have the SSH service enabled,” according to the researchers. “We were curious to know what was the initial attack vector so we downloaded the firmware and conducted research on it (.tar → .UBI root filesystem, Linux kernel).”
Additionally, “we discovered that the device runs over a 32-bit ARM architecture with an ARM926EJ-S processor which is part of ARM9 family of general-purpose microprocessors. It runs the OpenWrt 21.02.2 operating system, which is a Linux distribution with BusyBox.”
Claroty researchers wrote that hacktivist groups, though largely politically motivated, have demonstrated the ability to be disruptive to businesses and operations in certain situations. “GhostSec’s latest alleged activity is another indication that these groups have an interest in seeking out ICS devices that—if attacked—can impact productivity and safety within industrial automation settings,” they added.
Ron Fabela, CTO at another industrial cybersecurity vendor SynSaber, wrote in a separate blog post that given that these devices are running generic Linux kernels that happen to be providing connectivity to serial devices (which, of course, could be industrial), “there’s nothing in the evidence supplied by GhostSec that industrial was specifically attacked or that this attack represents a new paradigm shift in industrial hacking.”
“Whether technically true or not, groups like GhostSec, the Cl0p gang, and others continue to research and discover OT attacks and ICS hacks,” Fabela wrote in his Wednesday post. “The paradigm shift isn’t that someone can attack a Linux/OpenWRT device. Rather, it’s the pivot by threat groups on how to take traditional enterprise attacks and apply them to industrial environments. It was also trivial to find these exact devices online via tools like shodan[dot]io,” he added.
This example by GhostSec shows new threat groups’ lack of understanding about ICS, Fabela said. “It also gives the community a glimpse at the group’s intent, something exceedingly difficult to measure otherwise. After looking at the evidence presented, it may be easy to dismiss the bold claims by GhostSec.”
He further highlighted that the fact remains that ICS will be targeted, and threat actors see the value in attacking (or claiming to attack) ICS.
“Scenarios outlined by GhostSec and Red Balloon will likely remain an area for proof of concepts and flashy presentations at hacker cons,” according to Slowik. “Yet should such embedded device ransomware emerge in industrial environments (especially critical infrastructure networks), we should immediately question the nature and origin of such activity, as the economics and optics of such an event will favor a state-directed entity being responsible as opposed to more traditional criminal monetization,” he added.
In October, another industrial cybersecurity company OTORIO disclosed that the GhostSec hacktivist group has continued to demonstrate its ICS hacking skills and has now turned its support to the recent waves of Hijab protests in Iran.
“The group has published several images as evidence of successfully ‘hacked’ systems. These show the use of SCADA modules of the Metasploit framework and a MOXA E2214 controller admin web portal following a successful login,” David Krivobokov, OTORIO’s Research Team leader, revealed at the time. “While it is not clear how critical the ‘breached’ systems are, this demonstrates again the ease and potential impact of attacks on ICS systems that have insufficient security controls in place.”
Earlier this week, Red Balloon researchers detected the presence of multiple architectural vulnerabilities prevalent in the Siemens SIMATIC and SIPLUS S7-1500 series PLC (Programmable Logic Controller) that could allow attackers to bypass all protected boot features, resulting in persistent arbitrary modification of operating code and data. Affecting around 120 Siemens products and solutions, the S7-1500 is a high-performance controller that is considered to possess comprehensive security protections amongst Siemens PLC products.
Cybersecurity Experts Cast Doubt on Hackers’ ICS Ransomware Claims
https://www.securityweek.com/cybersecurity-experts-cast-doubt-hackers-ics-ransomware-claims
A hacktivist group has made bold claims regarding an attack on an industrial control system (ICS) device, but industry professionals have questioned their claims.
The hacktivist group known as GhostSec, whose recent operations have focused on ‘punishing’ Russia for its invasion of Ukraine, claims to have conducted the first ever ransomware attack against a remote terminal unit (RTU), a type of ICS device used for communications between field devices and supervisory control and data acquisition (SCADA) systems.
“We just encrypted the first RTU in history! A small device designed only for an ICS environment,” the hackers said. “The age of ransomware coded to attack ICS devices just became a thing, and we were the first.”
The group said the hacked device is located in Belarus, one of Russia’s biggest allies. While the attack was described as ransomware because files on the device were encrypted, there wasn’t an actual ransom demand.
Several experts, including ones from ICS security companies, analyzed the hacktivists’ claims based on the screenshots they made available. The screenshots show that the attackers managed to encrypt some of the files hosted on the device, just like in a ransomware attack
The first aspect that most experts pointed out is that the targeted device is the Teleofis RTU968, a product described by the Russia-based vendor as a 3G router designed for connecting industrial and commercial facilities to the internet. While the device is labeled as an RTU and can technically be used as an RTU due to the fact that it supports industrial interfaces, it’s not specifically designed for this purpose.
In addition, unlike RTUs made by major vendors such as Siemens, which run operating systems that are custom-built for industrial applications, the Teleofis device runs OpenWrt, a widely used Linux operating system designed for embedded devices.
Ransomware that can encrypt files on a Linux device is not new and there is no indication that encrypting files on the Teleofis device is more difficult. In addition, hacking these types of communication gateways that provide remote connectivity to serial devices is also not new, pointed out industrial cybersecurity firm SynSaber.
“Given that these devices are running generic Linux kernels that happen to be providing connectivity to serial devices (which, of course, could be industrial), there’s nothing in the evidence supplied by GhostSec that industrial was specifically attacked or that this attack represents a new paradigm shift in industrial hacking,” explained Ron Fabela, the CTO of SynSaber.
https://twitter.com/AnonOpsSE/status/1613104709832671233
#Anonymous affiliate #GhostSec conducts the first ever #Ransomware attack against an RTU – remote terminal unit used in ICS environments during their favorite operation #OpRussia. They explain it as only they can in support of #Ukraine
#russiaisaterrorisstate #UkraineRussiaWar
GhostSec Makes Big Claims on “RTU” ICS Hack
https://synsaber.com/ghostsec-claim-rtu-ics-hack/
“Everyone has obviously heard about a ransomware that attacked a Windows desktop, some server, some IoT, but we would like to announce the first RTU attacked!”
“YES! We just encrypted the first RTU in history!”
(For more on GhostSec, check out https://en.wikipedia.org/wiki/Ghost_Security)
Let’s break down the evidence provided along with the claim, some basic OSINT (open source intelligence) gathering, and insights as to whether this claim is all it’s cracked up to be.
The Spectre of Big Claims Online
No doubt, industrial control systems are under attack. We hear it in the form of government advisories and see numerous presentations by experts on the subject. Nevertheless, we as a community cannot take every claim at face value.
Here we have an opportunity to dig into the evidence provided directly from the source: claims and screenshots directly from the attacker.
A series of screenshots and statements are still available on the GhostSec Telegram channel.
You can see them for yourself at https://t.me/GhostSecc/410
Claim 1: GhostSec “raises the bar” by being the first to encrypt data on an RTU
Claim 2: The age of ransomware coded to attack ICS devices “just became a thing”
Attached to the message were two screenshots of a command line interface. That’s where things get interesting.
Let’s delve into what victimology insights can be gained about the attack.
First, let’s start with what an RTU is in the industry, and the specifics around the RTU shown in the screenshots. For background details on what an RTU really is, please see this post from RealPars: https://realpars.com/rtu/
A few important data points:
Banner notes the vendor of the device as TELEOFIS
Build notes for RTU968V2 v.2.6.95
OpenWrt Chaos Calmer is interesting
Most industrial RTUs do not run Linux, but real-time operating systems custom-built for industrial control
So what is a TELEOFIS RTU986V2? I’m glad you asked.
Here is the specific product information for the target device:
https://teleofis.ru/production/3g-4g-routeri/3g-router-teleofis-rtu968-v2/
this is a 3G router that has the capability to connect to serial devices, and supports network functions such as firewall/OpenVPN, and other functions.
Phantom Menace
While the claim is technically correct in that TELEOFIS (the device vendor) labels this device as an RTU, digging deeper into the product lines, these are communications gateways and routers that can be applied to any environment, including industrial control.
Given that these devices are running generic Linux kernels that happen to be providing connectivity to serial devices (which, of course, could be industrial), there’s nothing in the evidence supplied by GhostSec that industrial was specifically attacked or that this attack represents a new paradigm shift in industrial hacking.
Skepticism and Research: Investigate Claims of an ICS Hack
Whether technically true or not, groups like GhostSec, the Cl0p gang, and others continue to research and discover OT attacks and ICS hacks (see my breakdown of the ICS hack claim regarding South Staffs Water at https://synsaber.com/south-staffs-water-hack-part-1/).
The paradigm shift isn’t that someone can attack a Linux/OpenWRT device. Rather, it’s the pivot by threat groups on how to take traditional enterprise attacks and apply them to industrial environments. It was also trivial to find these exact devices online via tools like shodan.io.
Tomi Engdahl says:
WAGO fixes config export flaw threatening data leak from industrial devices https://portswigger.net/daily-swig/wago-fixes-config-export-flaw-threatening-data-leak-from-industrial-devices
Security researchers have disclosed a vulnerability that potentially led to exposure of sensitive data and credential theft in WAGO products. also:
https://onekey.com/blog/security-advisory-wago-unauthenticated-config-export-vulnerability/
Tomi Engdahl says:
ioXt Alliance Works Toward Global Security Standardization
Jan. 13, 2023
The organization, made up of more than 600 OEMs, labs, and manufacturers, aims to bring IoT security upgradability and transparency into the hands of consumers.
https://www.electronicdesign.com/technologies/iot/video/21258039/microwaves-rf-ioxt-alliance-works-toward-global-iot-security-standardization?utm_source=EG+ED+Connected+Solutions&utm_medium=email&utm_campaign=CPS230109103&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R
At CES, Senior Editor David Maliniak caught up with Grace Burkard, Director of Operations at the ioXt Alliance. She discusses the fragmentation of standards between industries, countries, and types of products, which makes it difficult for manufacturers to achieve certification.
Burkard stresses the need for transparency between standards and explains that ioXt Alliance-certified products have a QR code a company can display on the product or website.
“A consumer can come up, scan it, and it will take them directly to their product page,” said Burkard. “And it shows what levels they need for their security.”
After Executive Order 140288 came out, the administrations tasked NIST to better the cybersecurity products in the U.S.
https://www.ioxtalliance.org/
Tomi Engdahl says:
IoT vendors faulted for slow progress in setting up vulnerability disclosure programs https://portswigger.net/daily-swig/iot-vendors-faulted-for-slow-progress-in-setting-up-vulnerability-disclosure-programs
IoT vendors are making slow progress in making it easy for security researchers to report security bugs, with only 27.1% of suppliers offering a vulnerability disclosure policy. The figure, based on the latest annual report from the IoT Security Foundation (IoTSF), compares to the 9.7% of IoT (Internet of Things) vendors that were reported to have a disclosure policy in the 2018 edition of the same study. The IoTSFs latest study was based on a review of practice of
332 companies who sell consumer-focused IoT products. The review, carried out by mobile and IoT security consultancy Copper Horse, covered security practices tied to a range of products ranging from tablets and routers to smart home lighting controls and smart speakers
Tomi Engdahl says:
https://pentestmag.com/industrial-control-system-cybersecurity-threat-hunting/
Tomi Engdahl says:
Hacking Paulig Muki
https://github.com/jku/mukinator
Tomi Engdahl says:
Malware exploited critical Realtek SDK bug in millions of attacks
https://www.bleepingcomputer.com/news/security/malware-exploited-critical-realtek-sdk-bug-in-millions-of-attacks/
Hackers have leveraged a critical remote code execution vulnerability in Realtek Jungle SDK 134 million attacks trying to infect smart devices in the second half of 2022.
Exploited by multiple threat actors, the vulnerability is tracked as CVE-2021-35394 and comes with a severity score of 9.8 out of 10.
High exploitation levels
Starting September 2022, a new sizable botnet malware named ‘RedGoBot’ appeared in the wild targeting IoT devices vulnerable to CVE-2021-35394.
Researchers at Unit 42, Palo Alto Network’s threat intelligence team, noticed that exploitation of the flaw continued throughout December.
Three different payloads were delivered as a result of these attacks:
a script that executes a shell command on the target server to download malware
an injected command that writes a binary payload to a file and executes it
an injected command that reboots the server
Most of these attacks originate from botnet malware families like Mirai, Gafgyt, Mozi, and derivatives of them. In April 2022, the Fodcha botnet was spotted exploiting CVE-2021-35394 for distributed denial-of-service (DDoS) operations.
Tomi Engdahl says:
Mies osti uunin ja hämmästyi – ottaa yhteyden Venäjälle ja Kiinaan 12 kertaa tunnissa https://www.is.fi/digitoday/tietoturva/art-2000009359273.html
AEG:n uunit tarkistavat nettiyhteyden toimivuuden ottamalla yhteyden jatkuvasti kolmeen hakukoneeseen. Tutkija on huolissaan.
KUN ostat kodinkoneen, et ehkä tule ajatelleeksi mitä kaikkea se tekee ilmeisen käyttötarkoituksensa lisäksi. Hyvän esimerkin antaa ohjelmistoasiantuntija Stephan van Rooij, joka huomasi kahden AEG-merkkisen uuninsa ottavan yhteyttä kolmeen hakukoneeseen 5 minuutin välein.
Hakukoneet ovat yhdysvaltalainen Google, kiinalainen Baidu ja venäläinen Yandex. Kyseiset uunit, AEG:n BSK798280B ja KMK768080B, käyvät näiden hakukoneiden pääsivuilla tarkistaakseen, että nettiyhteys on kunnossa.
– En todellakaan pidä siitä, että uunini ottaa yhteyttä Kiinaan ja Venäjälle vain tarkistaakseen, että sillä on internet-yhteys. Jos tämä on ainoa asia, jonka se tekee, van Rooij kirjoittaa.
I disconnected our smart oven, and maybe you should as well
https://svrooij.io/2023/01/25/disconnect-your-smart-appliance/
Arstechnica published an article yesterday, called “Appliance makers sad that 50% of customers won’t connect smart appliances”. Let me tell you, I’m glad people don’t connect their oven to the internet. We own two of these smart appliances from AEG and I disconnected them as soon as I discovered what they do.
When would I use the smart part of these appliances?
We did not explicitly bought “smart” appliances. We noticed they had wifi after we installed them. Here are some use cases of the “smart” functionality.
I’m was working late, on the way back in the grocery store, thinking I’ll just take some pizza and pre-heat my oven while still in the store.
While waking up deciding we want fresh baked buns in the morning, and we want to pre-heat the oven.
Maybe receiving notifications on the phone when the pre-set timer finishes
These three use cases are probably the only reason why people even consider buying a “smart” oven.
Devices check for internet access
Every smart devices (laptop/phone/appliance) wants to know if the wifi they are connected to is actually providing access to internet. Microsoft created a special endpoint that is used by your Windows device to check for internet connectivity. Apple and Google follow a similar strategy, I cannot find the exact documentation on it.
If a company doesn’t want to setup an external api for this, or you have an api that is not really stable, you can always use public websites to check if you have an internet connection. In my opinion your should always setup your own api to do the checking, because you don’t want to report to the user that the device does not have internet access because some external website is down.
And if you already have an api, just make sure your api is stable!
How AEG smart appliances check internet connectivity?
AEG choose the easy route, and checks three public websites every 5 minutes when connected to your wifi. The AEG smart appliances also have this hidden cloud api which is used for controlling the devices, so there should not be a reason to connect to these websites:
google.com no shock there, that is the number one website I personally use if I have to check internet connectivity.
baidu.cn yes, every 5 minutes your oven sends a message to the Chinese google alternative.
yandex.ru yes, not even just China, also the Russian google alternative.
I really don’t like the fact that my oven connects to China and Russia just to check if it has an internet connection. If that is the only thing it’s doing.
Tomi Engdahl says:
Realtek Vulnerability Under Attack: Over 134 Million Attempts to Hack IoT Devices https://thehackernews.com/2023/01/realtek-vulnerability-under-attack-134.html
Researchers are warning about a spike in exploitation attempts weaponizing a now-patched critical remote code execution flaw in Realtek Jungle SDK since the start of August 2022. According to Palo Alto Networks Unit 42, the ongoing campaign is said to have recorded
134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months
Tomi Engdahl says:
IoT Security
EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
https://www.securityweek.com/ev-charging-management-system-vulnerabilities-allow-disruption-energy-theft/
Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.
Researchers warn that many electric vehicle (EV) charging management systems are affected by vulnerabilities that could allow hackers to cause disruption, steal energy, or obtain driver information.
The vulnerabilities were discovered by researchers working for SaiFlow, an Israel-based company that specializes in protecting EV charging infrastructure and distributed energy resources.
The security holes are related to the communications between the charging system management service (CSMS) and the EV charge point (CP), specifically the use of the Open Charge Port Protocol (OCPP). The flaws have been confirmed to impact the CSMS offered by multiple vendors.
The problem is related to the use of WebSocket communications by the OCPP and how it mishandles multiple connections. The protocol does not know how to handle more than one CP connection at a time and attackers could abuse this by opening a new connection to the CSMS. Another issue is related to what SaiFlow describes as “weak OCPP authentication and chargers identities policy”.
By opening a new connection to the CSMS on behalf of a charge point, the attacker causes the original connection to be closed or to become nonfunctional.
According to SaiFlow, an attacker can exploit the weaknesses to launch a distributed denial-of-service (DDoS) attack that disrupts the electric vehicle supply equipment (EVSE) network. In addition, if an attacker can connect to the CSMS, they may be able to obtain drivers’ personal information, including payment card data, as well as other sensitive data, such as server credentials.
Tomi Engdahl says:
Valmistaja myönsi viimein: Suomessakin myydyissä turvakameroissa ei ollutkaan väitettyä salausta https://www.tivi.fi/uutiset/tv/bed27d6c-ec72-4f52-ad67-472a07ce256e
Eufy-brändin alla myytäviä turvakameroita valmistava Anker on viimein myöntänyt ongelmat ja puutteet kameroidensa tietoturvassa. Samalla yhtiö myönsi sössineensä viestinnän perusteellisesti. Älykkäisiin valvontakameroihin ja niiden kanssa käytettäviin sovelluksiin ja palveluihin liittyi useita huolia. Yksi oli se, että kamerat saattoivat lähettää pilveen videoiden esikatselukuvakkeita, joista saattoi olla tunnistettavissa ihmisiä, eikä pilvitallennuksen vaatimustenmukaisuudesta juuri ollut selkoa. Mahdollisesti vielä huolestuttavampi oli tietoturvatutkijoiden esille nostama ja The Vergen vahvistama havainto, että kameroiden lähettämää suoraa videolähetystä saattoi katsella verkon yli aivan tavallisella mediasoitinsovelluksella, kunhan tiedossa oli verkko-osoite, josta lähetys löytyi. Näin siis oli siitä huolimatta, että valmistaja itse väitti kaiken videon liikkuvan verkossa täysin päästä päähän salattuna, jolloin kukaan sivullinen ei voisi siihen päästä käsiksi.
Tomi Engdahl says:
https://svrooij.io/2023/01/25/disconnect-your-smart-appliance/
Tomi Engdahl says:
Is Your EV Charging Station Safe? New Security Vulnerabilities Uncovered https://thehackernews.com/2023/02/is-your-ev-charging-station-safe-new.html
Two new security weaknesses discovered in several electric vehicle
(EV) charging systems could be exploited to remotely shut down charging stations and even expose them to data and energy theft. The findings, which come from Israel-based SaiFlow, once again demonstrate the potential risks facing the EV charging infrastructure.
Tomi Engdahl says:
https://hackaday.com/2023/02/03/smart-ovens-are-doing-dumb-checks-for-internet-connectivity/