https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,725 Comments
Tomi Engdahl says:
IoT Security: Backdooring a smart camera by creating a malicious firmware upgrade
https://www.youtube.com/watch?v=hV8W4o-Mu2o
In this video we look at reverse engineering a basic firmware format of a commonly found IoT camera – and then creating a backdoored firmware that calls back to our command & control server and allows us to remotely control it!
Camera in the video: Wyze Cam v2
Scripts from the video:
https://github.com/ghidraninja/wyze_scripts/tree/master
A lot more information on the hardware and software, as well as an awesome custom firmware can be found here:
https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks
Tomi Engdahl says:
https://apple.news/A9K4BPNoGRQGRUlKI9frXZw
There will be 100+ million of these in use in America this year. Apple’s next step is going to be interesting
AirTags Can Be Used To Figure Out When a House Is Empty, Researcher Warns
https://www.vice.com/en/article/jg8mvy/airtags-can-be-used-to-figure-out-when-a-house-is-empty-researcher-warns
A security researcher warns that a feature that displays when an AirTag was last seen could give away some sensitive information about its surroundings.
A security researcher has found another creepy and potentially dangerous way to use AirTags, Apple’s new small tracking devices, to stalk people and figure out when a house, apartment, or office is empty.
Apple is marketing the AirTag, a 1.26-inch Bluetooth-enabled Apple-branded button, as the most secure and reliable way to track whatever object you don’t want to lose, such as a backpack, keys, a purse, a wallet, or even a pet.
Privacy activists have already sounded the alarm about the AirTag’s potential to be used as a stalking device. Lukasz Krol, a digital security specialist with Internews, has now found another way to misuse them.
Tomi Engdahl says:
Mercedes Benz MBUX security research report https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_Report_Final.pdf
This report showed how we performed our security research on MercedesBenzs newest infotainment system, MBUX. . we demonstrated what the attacked could do [...] for two attack scenarios, the removed head units and the real-world vehicles [... to ...] send arbitrary CAN messages on T-Box and how to bypass the code signing mechanism to flash a custom SH2A MCU firmware
Tomi Engdahl says:
Eufycam Wi-Fi security cameras streamed video feeds from other people’s homes
Plus: Biden’s order on security, US govt acquiring data on citizens, and more
https://www.theregister.com/2021/05/17/in_brief_security/
Unlucky owners of Eufycam security cameras were horrified earlier today when they opened their app for the equipment and saw video streams from strangers’ homes instead of their own.
A software bug was blamed for the fault, which has been corrected, we’re told.
These 1080p Wi-Fi-connected devices are made by Anker, and are designed to be used indoors and outdoors. They can record to microSD cards and/or the cloud, and viewable via a mobile app. On Monday, some users found themselves staring at feeds from other people’s homes – even those in other countries – and feared they were being watched, too.
“I use Eufy to monitor my baby daughter’s room,” said one Redditor. “Tonight I logged into the app and instead have complete access to the security systems of someone in a different country. I can view streams from all of their cameras, turn lights on and off, and have access to the HomeBase settings. Their contact details including email addresses appear in my app.
“This is a terrible security and privacy breach. If I’m able to view other people’s cameras, anyone could be looking in on my daughter. I have unplugged the camera in her room for now, but I imagine this is seriously bad news for Eufy. I will certainly be contacting a lawyer in the morning.”
A spokesperson for Anker told us just a small number of customers were affected
Tomi Engdahl says:
Cryptocurrencies and NFTs may be catching everyone’s attention, but there are better uses for blockchain.
Forget Cryptocurrencies and NFTs—Securing Devices Is the Future of Blockchain Technology
https://spectrum.ieee.org/telecom/standards/forget-cryptocurrencies-and-nftssecuring-devices-is-the-future-of-blockchain-technology
Cryptocurrencies and nonfungible tokens (NFTs) may be all the rage right now, but they’re overshadowing better uses for blockchain and other distributed-ledger technologies. Rather than using them to disrupt financial systems or the art world, distributed ledgers can be used to create trust among Internet of Things devices, which is essential for any successful IoT network.
Trust among devices can enable scenarios like an autonomous security robot checking the security clearances of drones flying overhead, or a self-checkout register at a grocery store that flags recalled meat when someone tries to buy it. Unfortunately, these use cases exist in primarily theoretical or pilot stages, while flashy crypto applications garner the most attention. But finally, an upcoming smart-home standard is using blockchain to create trust among devices.
The new standard, put forth by the Project Connected Home over IP (CHIP) working group in the Zigbee Alliance, an organization developing the ZigBee wireless standard, focuses on improving IoT-device compatibility. That includes making sure devices from different manufacturers can securely interact with one another. Project CHIP’s ledger is one of the first scaled-out blockchain efforts outside of cryptocurrency launches.
CHIP’s standard describes a blockchain-based ledger that contains each CHIP-certified device, its manufacturer, and facts about that device, such as the current version of its software and whether or not it has received a particular update. The standard also includes other basic security features such as encryption among devices.
What’s great about this blockchain approach is that it eliminates the need for users to track and monitor the security of all their devices. Depending on how the ledger is set up, it could also alert people to device vulnerabilities. The ledger could even be used to automatically quarantine those vulnerable devices.
CHIP hasn’t shared a lot of details on the ledger yet
While CHIP’s ledger may not be as flashy as an NFT selling for over US $60 million, it’s an important step toward a more useful approach to distributed ledgers. A device’s ability to establish its bona fides and list its software patches over its lifetime is invaluable for device security.
Tomi Engdahl says:
Amazon’s Sidewalk Network Is Turned On by Default. Here’s How to Turn It Off https://www.inc.com/jason-aten/amazons-sidewalk-network-is-turned-on-by-default-heres-how-to-turn-it-off.html
First, let’s talk about Sidewalk. The idea behind is actually really smart–make it possible for smart home devices to serve as a sort of bridge between your WiFi connection and one another. That way, if your Ring doorbell, for example, isn’t located close to your WiFi router, but it happens to near an Echo Dot, it can use Sidewalk to stay connected.
Tomi Engdahl says:
TV remote turned into a listening device https://www.kaspersky.com/blog/rsa2021-tv-remote-listening-device/40022/
Having studied the remotes firmware (with a copy conveniently stored on the set-top boxs hard drive), the researchers were able to determine the alterations that would enable the firmware to command the remote control to turn on the microphone and transmit sound over the radio channel.
Tomi Engdahl says:
https://spectrum.ieee.org/telecom/standards/forget-cryptocurrencies-and-nftssecuring-devices-is-the-future-of-blockchain-technology
Tomi Engdahl says:
Guidelines from NIST form a good template for improving #cybersecurity in any #IoT design
https://buff.ly/3oMVxS8
Tomi Engdahl says:
New regulations will soon set cybersecurity requirements to almost all electronics, regardless of industry. In particular, the product development process is under the magnifying glass. What does it take to ensure that end products will be compliant? Read our tips!
3 tips towards developing cybersecure products
https://www.etteplan.com/stories/3-tips-towards-developing-cybersecure-products?utm_source=facebook&utm_medium=paid&utm_campaign=SES_3_tips_towards_developing_cybersecure_products_continuous_en_21&utm_content=article&fbclid=IwAR26-I7g_kjfJs4KG-Pqm_JALhYoLx0JnP28SVl5nmYQBOwaINjzPFP8bZw
New regulations will soon set cybersecurity requirements to almost all electronical products. For manufacturers this will mean that security should be integrated into the product development process. What does it take to ensure that end products are going to fulfill the rules?
If a product such as embedded electronics seems more like hardware than software, cybersecurity can easily be missed or belittled. If that happens, and the product is launched in the market, it is prone to be easy prey for cyberattacks. In the worst case, the product can be dangerous to its users.
“A common misconception is to simply develop a product first, and to perform a quick vulnerability test as the very last thing in the development process. Another misconception is to believe that the developers are highly skilled and will take cybersecurity into account automatically without any need to specify or demand anything”, says Mikko Lindström, Etteplan’s Director of Software Testing and Cybersecurity.
Tomi Engdahl says:
Tietoturvamerkki-webinaari: Älylaitteiden tietoturva mietityttää ostajia ja myyjiä
https://www.uusiteknologia.fi/2021/05/27/alylaitteiden-tietoturva-mietityttaa-ostajia-ja-myyjia/
Tomi Engdahl says:
How to stop your IoT devices from being hacked. http://on.forbes.com/6189yHzx3
FBI ‘Drive-By’ Hacking Warning Suddenly Gets Real—Change This Critical Setting Today
https://www.forbes.com/sites/zakdoffman/2021/05/29/serious-warning-issued-fbi-drive-by-hacking-gets-real-this-is-how-to-stop-it/
When the FBI warned that hackers can use the smart gadgets you have at home “to do a virtual drive-by of your digital life,” it was smart connected gadgets they had in mind. This week’s report into a vulnerability with cheap smart plugs available on Amazon can be added to recent warnings about kitchen gadgets and security cameras.
I don’t think people even understand what a router does,” warns ESET cyber guru Jake Moore. “Most people don’t want to change the password, let alone go into the settings on the router. Many people don’t even realize there are two passwords.”
And so, the highlighting of this issue this week is critical. Treat your router like your internet “mothership,” Moore says. “Lots of people haven’t changed their ISP for years, and so they’ll have an old router, possible six, even ten years old.” And that means that the security on the device itself is likely lacking, and you probably haven’t been into the settings, updated the firmware or changed the password for years—if ever.
I have commented before on broader IoT security—give some thought to the number of devices you connect to your home internet, remember, each device is a bridge between your home and the outside world. Think that through.
For those you do connect—including computers, phones tablets, smart toys, kitchen gadgets, appliances, TVs and the rest, change all default passwords, and make each one unique—use a password manager or write them down. Update the firmware and enable auto-updates if available. And, ideally, enable the guest network on your WiFi for all your IoT devices—everything except your phones and computers.
For your router, this is really important. Make sure you understand the different devices that connect your home network to the outside world. Do you run a single router/modem that connects to your ISP and also runs your WiFi? If so, ensure you have the admin credentials, make sure you’ve kept the firmware updated and that you are not using the default out-the-box password.
“People think ‘this is not going to happen to us’,” Moore says, “and that’s a really key point here. “People still think ‘that’ll never happen to me’. Think off your router as the mothership of your home network. That’s the number one thing you need to protect. You need to have a big, big wall around it—and then another wall around it as well. Just think—if anyone gets into that, they’ve got into everything.”
Tomi Engdahl says:
https://www.uusiteknologia.fi/2021/05/27/alylaitteiden-tietoturva-mietityttaa-ostajia-ja-myyjia/
Suomessa otettiin käyttöön älylaitteiden tietoturvallisuudesta kertova Tietoturvamerkki vuoden 2019 lopussa, mutta silti laitteiden tietoturva mietityttää kuluttajien lisäksi myyjiä ja laitevalmistajia. Traficom järjesti eilen verkossa webinaarin älylaitteiden tietoturvallisuudesta.
Tomi Engdahl says:
ETSI EN 303 645 highlights — European benchmark standard for consumer smart device cybersecurity
Tomi Engdahl says:
https://tietoturvamerkki.fi/
Tomi Engdahl says:
A New Bug in Siemens PLCs Could Let Hackers Run Malicious Code Remotely https://thehackernews.com/2021/05/a-new-bug-in-siemens-plcs-could-let.html
Siemens on Friday shipped firmware updates to address a severe vulnerability in SIMATIC S7-1200 and S7-1500 programmable logic controllers (PLCs) that could be exploited by a malicious actor to remotely gain access to protected areas of the memory and achieve unrestricted and undetected code execution, in what the researchers describe as an attacker’s “holy grail.”
Tomi Engdahl says:
PoC published for new Microsoft PatchGuard (KPP) bypass https://therecord.media/poc-published-for-new-microsoft-patchguard-kpp-bypass/
A security researcher has discovered a bug in PatchGuarda crucial Windows security featurethat can allow threat actors to load unsigned
(malicious) code into the Windows operating system kernel. This code can now be weaponized and added to active malware strains as a way for those malware families to gain even more dangerous features and the ability to plant rootkits to improve the efficacy of their attacks.
Tomi Engdahl says:
No Time to Waste: Three Ways to Quickly Reduce Risk in Critical Infrastructure Environments
https://www.securityweek.com/no-time-waste-three-ways-quickly-reduce-risk-critical-infrastructure-environments
Earlier this month, the U.S. experienced it first major shutdown of critical infrastructure due to a cyberattack in the nation’s history. When adversaries targeted Colonial Pipeline with a disruptive ransomware attack, critical infrastructure security immediately became a mainstream concern, because the attack is unprecedented in terms of its impact. Millions of people were affected as the East Coast’s largest gasoline, diesel, and natural gas distributor suspended oil and gas delivery. What’s more, the aftermath has lingered as rising gasoline and home heating oil prices put further stress on the sector and on individuals’ wallets and plans.
For years now, the government has been warning openly and clearly of targeted attacks against government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. Last July, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert in response to a growing number of attacks targeting industrial networks. The alert included broad warnings of an imminent and serious threat across all 16 critical infrastructure sectors and lengthy, detailed sets of recommendations for how to protect operational technology (OT) environments.
More recently, at the end of April, the NSA issued a second cybersecurity advisory on the risks of connecting industrial networks to IT networks. And following the attack on Colonial Pipeline, CISA and the FBI issued an alert urging critical asset owners and operators to adopt a heightened state of awareness and implement various controls in the face of ransomware attacks, including robust network segmentation between IT and OT networks, regular testing of manual controls, and the implementation of backups that are regularly tested and isolated from network connections.
Clearly, the days of the standard “crawl, walk, run” approach to implementing cybersecurity improvements are gone. We need to go straight to run. We don’t have three to five years nor the resources to physically segment networks that are geographically dispersed across, say, 100 manufacturing sites around the world. And attempting to implement the same 15+ IT security tools within an OT environment is often prohibitively time consuming, not to mention ineffective, unnecessary, and even risky in itself.
NSA Issues Guidance on Securing IT-OT Connectivity
https://www.securityweek.com/nsa-issues-guidance-securing-it-ot-connectivity
The U.S. National Security Agency (NSA) last week released a cybersecurity advisory focusing on the security of operational technology (OT) systems, particularly in terms of connectivity to IT systems.
The NSA’s advisory, titled “Stop Malicious Cyber Activity Against Connected Operational Technology,” is specifically addressed to the Department of Defense, national security system (NSS) and defense industrial base organizations, but the recommendations can be useful to any industrial company.
The advisory shares recommendations for evaluating risks and improving the securing of connections between IT systems — these can often serve as an entry point into industrial networks — and OT systems.
“Each IT-OT connection increases the potential attack surface,” the NSA said. “To prevent dangerous results from OT exploitation, OT operators and IT system administrators should ensure only the most imperative IT-OT connections are allowed, and that these are hardened to the greatest extent possible.”
Stop Malicious Cyber Activity Against Connected Operational Technology
https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF
Tomi Engdahl says:
NIST IoT cybersecurity guidelines near completion
https://www.edn.com/nist-iot-cybersecurity-guidelines-near-completion/
In late December 2020, the US created a new law requiring the National Institute of Standards and Technology (NIST) to create guidelines for implementing cybersecurity in IoT devices sold to the US government. A battery of documents, many in draft form, is now available that describe the processes involved. Recent completion of the public comment phase for the draft documents means that the NIST guidelines will soon become requirements for IoT developers seeking to sell into the federal marketplace.
The overview document – Draft NIST Special Publication 800-213, IoT Device Cybersecurity Guidance for the Federal Government – provides background and recommendations to help federal agencies consider how an IoT device that they seek to utilize should integrate into their information systems. The document presents both the IoT devices and their support for security controls in the context of organizational and system risk management, offering guidance on considering system security from the device perspective. The goal is for agencies to identify the device cybersecurity requirements, the abilities and actions they should expect from the IoT device and its manufacturer or third parties, that their systems will require to ensure appropriate security capabilities.
he guidance that SP 800-213 provides begins with the framework defined in NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, which has been available since May 2020. NISTIR 8259 describes six recommended activities that manufacturers should consider performing to improve the foundational cybersecurity of their new IoT devices.
Tomi Engdahl says:
Obsolescence by design hampers computer systems
https://www.edn.com/obsolescence-by-design-hampers-computer-systems/
Tomi Engdahl says:
10 Critical Flaws Found in CODESYS Industrial Automation Software https://thehackernews.com/2021/06/10-critical-flaws-found-in-codesys.html
Cybersecurity researchers on Thursday disclosed as many as ten critical vulnerabilities impacting CODESYS automation software that could be exploited to remote code execution on programmable logic controllers (PLCs).
Tomi Engdahl says:
Serious Vulnerabilities Found in CODESYS Software Used by Many ICS Products
https://www.securityweek.com/serious-vulnerabilities-found-codesys-software-used-many-ics-products
Researchers have discovered 10 vulnerabilities — a majority rated critical or high severity — in CODESYS industrial automation software that is used in many industrial control system (ICS) products.
Researchers at Russian cybersecurity company Positive Technologies identified the vulnerabilities in various products made by CODESYS. They initially found the flaws in a programmable logic controller (PLC) made by WAGO, but further analysis showed that the issues were actually introduced by CODESYS software that is used by more than a dozen manufacturers for their PLCs, including Beckhoff, Kontron, Moeller, Festo, Mitsubishi, HollySys and several Russian firms.
Tomi Engdahl says:
Key management for OT and IoT
https://docbox.etsi.org/Workshop/2018/201810_IoTWEEK/02_IoTWORKSHOP/S06_PART1_IoT_IN_ACTION/PKI_MNGT_OT_IoT_INFOCERT-RIZZO_ENEL-PUGNI.pdf
OT and IoTvs IT environment The Authentication issue:The very firstproblem: How can each device trust tha teach other party really is whois declaring to be?
Is this guy/machine really entitled to perform this action?
The answeris identity/role management and related reliable techniques:
The Authentication process and Role Based Access Control
Two main scenarious are to be considered:
•Human to Machine: the classicalUser and Password auth method is widely used(e.g. MS AD)
•Machine to Machine (OT and IoT stuff): User and Password are not really suitable.
Some key issues remain:
•when the parties are not able to exchange public keys personally, who guarantees the authenticity of the keysthemselves?
•How do we share and distribute public keys while private keys are protected?
•How can we handle expiration, revocation and renewal of key pairs?
Categorization IEC 62351-8 profiles to transmit role informatins
Current IEC 62351-8:
•Profile A: X.509v3 public key certificate with included role information as certificate extension
•Profile B: X.509v3 Attribute certificate bound to a public key certificate, which uses the same certificate extension
•Profile C: Software token (HMAC-protected structure, Kerberos like), which encapsulates the same information contained in the certificate extension
Upcoming:
•Json/webtoken
•Radius
OT and IoTsystemsKeyManagement PKI requirements
OT and IoTenvironmentsare not confortable with traditional monoliticPKI systems based on centralized architectures.
OT and IoT require PKI systems:
•Able to runon Public SaaS, IaaS cloudinfrastructure(private and public) but also on segregated networks over on premises environments. The conceptis to have«quickly inflatable meta-PKI»
•Flexible creation and management of Subordinate CA in order to allow the support of multiple environments
•State of the art enrollment procedure using automated protocolsand tools.
•Easy (and sustainable) scalability in terms of certificate numbers and service deployment
•e-API management interface(e.g for easy integration with AWS platforms) for the Certificate life cycle management
•BothID an Attribute Certificates support to completely enable Role Based Access Control profiles
•Full state of the art PKI standard support compliant to IEC 62351-9 and IEC 62351-8
Tomi Engdahl says:
Butt Plug Hacking! Real Penetration Testing – DEF CON 27
YouTube
13 Aug 2019
https://www.google.com/url?sa=t&source=web&rct=j&url=https://m.youtube.com/watch%3Fv%3DCsQ2VWEfduM&ved=2ahUKEwjayaL9_ozxAhXK_CoKHf_PCowQxa8BegQICxAE&usg=AOvVaw1j8kdw2SCFbS4NsUVSY7eP
https://www.google.com/search?q=real+penetration+testing+sex+toy
Tomi Engdahl says:
https://www.etteplan.com/stories/towards-less-vulnerable-embedded-electronics-new-regulation-cybersecurity?utm_source=facebook&utm_medium=paid&utm_campaign=SES_towards_less_vulnerable_embedded_electronics_new_regulation_cybersecurity_continuous_en_21&utm_content=article&fbclid=IwAR2MX8uMIWL0_vH2KWRAJeKM3wmaiy_jaR6MXgCmE0KK3Z4-edxKISavG5A
Tomi Engdahl says:
https://www.edn.com/protecting-embedded-iot-devices-with-fuzz-testing/
Tomi Engdahl says:
New Top 20 Secure-Coding List Positions PLCs as Plant ‘Bodyguards’
https://www.darkreading.com/vulnerabilities—threats/new-top-20-secure-coding-list-positions-plcs-as-plant-bodyguards/d/d-id/1341289
Programmable logic controllers (PLCs) traditionally have been considered inherently insecure. But a new security initiative that outlines 20 best practices for coding the industrial computing device aims to reimagine the PLC as the last line of cyber defense in an industrial process. A group of cybersecurity experts and automation engineers has created an open source guide with 20 recommendations for configuring PLCs for resilience in case of a security incident or misconfiguration on the industrial network.
Tomi Engdahl says:
CISA Warns of Threat Posed by Ransomware to Industrial Systems
https://www.securityweek.com/cisa-warns-threat-posed-ransomware-industrial-systems
Following the devastating attack on Colonial Pipeline, the largest refined products pipeline in the United States, the Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet focusing on the threat posed by ransomware to operational technology (OT) assets and industrial control systems (ICS).
The Colonial Pipeline attack, which involved Russian cybercriminals and the Darkside ransomware, forced the company to shut down operations. The incident had significant implications, including states declaring a state of emergency, temporary gas shortages, and gas prices rising.
“OT components are often connected to information technology (IT) networks, providing a path for cyber actors to pivot from IT to OT networks,” CISA said. “Given the importance of critical infrastructure to national security and America’s way of life, accessible OT assets are an attractive target for malicious cyber actors seeking to disrupt critical infrastructure for profit or to further other objectives. As demonstrated by recent cyber incidents, intrusions affecting IT networks can also affect critical operational processes even if the intrusion does not directly impact an OT network.”
Tomi Engdahl says:
Implement secure update in IoT designs
https://www.edn.com/implement-secure-update-in-iot-designs/?utm_content=buffer14124&utm_medium=social&utm_source=edn_facebook&utm_campaign=buffer
As devices proliferate in the IoT, security concerns continue to rise. Not only do devices need to keep their data and functionality resistant to cyberattacks, they must also be able to continually improve their security to keep pace with threat evolution. Implementing a secure update process is essential in IoT development.
The ability to remotely update software is both a blessing and a curse for internet-connected devices. On the plus side, software updates provide an opportunity to enhance device functionality and to fix bugs that manifested following initial product release. On the other hand, malicious actors will also try to alter your device to meet their own needs. The Catch-22, because security threats are continually evolving, is that device security essentially requires an ability to remotely update software. Despite the additional threat exposure an update ability creates, remote updates are the only economically-viable way of maintaining a defense.
The answer to this dilemma is to design your IoT device with update capabilities that are themselves secure against cyberattack.
Tomi Engdahl says:
New IoT Security Risk: ThroughTek P2P Supply Chain Vulnerability https://www.nozominetworks.com/blog/new-iot-security-risk-throughtek-p2p-supply-chain-vulnerability/
Today we announced the discovery and responsible disclosure of a new security camera vulnerability, the latest in a series of Nozomi Networks research discoveries regarding IoT security. This particular vulnerability affects a software component from a company called ThroughTek. The component is part of the supply chain for many original equipment manufacturers (OEMs) of consumer-grade security cameras and IoT devices. ThroughTek states that its solution is used by several million connected devices.
Tomi Engdahl says:
Ransomware Poll: 80% of Victims Dont Pay Up https://threatpost.com/ransomware-victims-dont-pay-up/166989/
Ransomware is on the rise, but what toll does it take on the real world?. Threatpost set out to answer that question in an exclusive poll aimed at taking the pulse of organizations wrestling with attacks, including looking at mitigations and the defenses organizations have in place. When viewed against the backdrop of complementary reports from Cybereason and Group Salus, a nice picture emerges of how ransomware-related attitudes and security practices are evolving.
Tomi Engdahl says:
A New Program for Your Peloton Whether You Like It or Not https://www.mcafee.com/blogs/other-blogs/mcafee-labs/a-new-program-for-your-peloton-whether-you-like-it-or-not/
The McAfee Advanced Threat Research team (ATR) is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. As security researchers, something that we always try to establish before looking at a target is what our scope should be. More specifically, we often assume well-vetted technologies like network stacks or the OS layers are sound and instead focus our attention on the application layers or software that is specific to a target. Whether that approach is comprehensive sometimes doesnt matter; and its what we decided to do for this project as well, bypassing the Android OS itself and with a focus on the Peloton code and implementations.
Tomi Engdahl says:
How the IEC 61850 standard structures the electrical industry
https://www.stormshield.com/news/how-the-iec-61850-standard-structures-the-electrical-industry/
The International Electrotechnical Commission writes the standards that govern how the electrical industry works. And among this proliferation of standards – which sometimes come with rather forbidding abbreviations – one has a very special role to play, as it specifies communications for electricity distribution infrastructure. We explain IEC 61850 and the cyber risks it faces.
Tomi Engdahl says:
Implement secure update in #IoT designs
#security #software
https://buff.ly/3vFbBHI
Tomi Engdahl says:
McAfee finds security vulnerability in Peloton products
Security vulnerabilities mean hackers could access popular exercise bikes and treadmills. Here’s how to secure your smart devices.
https://www.nbcnews.com/business/consumer/exclusive-mcafee-finds-security-vulnerability-peloton-products-n1270941
Tomi Engdahl says:
Matt Dougherty / KHOU-TV:
Some power companies in Texas are remotely adjusting the smart thermostats of users enrolled in their energy saving programs to reduce strain on power grids — Some said they didn’t know their thermostats were being accessed from afar until it was almost 80 degrees inside their homes.
https://www.khou.com/article/news/local/texas/remote-thermostat-adjustment-texas-energy-shortage/285-5acf2bc5-54b7-4160-bffe-1f9a5ef4362a
Tomi Engdahl says:
The internet of sh*t has struck again!
Someone’s gotta make 3rd party firmware.
Peloton Axes Free ‘Just Run’ Feature From Treadmill, Bricking It for Non-Subscribers
https://uk.pcmag.com/old-fitness/134077/peloton-axes-free-just-run-feature-from-treadmill-bricking-it-for-non-subscribers
To unlock the feature, Tread+ owners need to pay for a monthly company subscription. The move is related to the Peloton recall, and the companys says it’s working on a fix.
Peloton has removed a free feature from its treadmill products—the ability to just run. Instead, the company is requiring owners to pay for a monthly subscription to get the function, though it says it’s working to once again allow the Just Run option.
It sounds absurd, given that the Tread+ once sold for $4,295. But the treadmills from Peloton are no ordinary exercise machines. The company also sells video exercise programs for the treadmills through a subscription service, which can cost $39 a month.
The removal of Just Run is related to a voluntary recall it issued last month for the Tread+ and Tread product after the machines caused injuries to multiple children. In response, Peloton created a locking feature to prevent unauthorized access to the equipment. But the change came at the expense of Just Run
“Unfortunately, Tread Lock is not yet available without a Peloton Membership, which means Tread+ owners without a subscription cannot access Just Run at this time.”
Still, Peloton says it’s “working on updates to Tread Lock that will allow us to make Tread Lock and Just Run available without a Peloton Membership,” without elaborating.
“How is this even possible that we cannot use the bike or tread anymore without a membership?! They’re basically just paperweights now!” she wrote.
“I want Peloton to do the right thing here,” she told PCMag. “Because their long-term success hinges on people feeling like they provide a good value. If people are scared their $3,000 investment is going to end up a paperweight, we don’t help Peloton by excusing that.”
Tomi Engdahl says:
Dan Goodin / Ars Technica:
After hackers wiped many of Western Digital’s My Book Live devices, a look at the code suggests the manufacturer had removed authentication code — Western Digital removed code that would have prevented the wiping of petabytes of data. — Update 6/29/2021, 9:00 PM: Western Digital …
Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices [Updated]
Western Digital removed code that would have prevented the wiping of petabytes of data.
https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/
Update 6/29/2021, 9:00 PM: Western Digital has published an update that says the company will provide data recovery services starting early next month. My Book Live customers will also be eligible for a trade-in program so they can upgrade to My Cloud devices. A spokeswoman said the data recovery service will be free of charge.
The company also provided new technical details about the zeroday, which is now being tracked as CVE-2021-35941.
Last week’s mass-wiping of Western Digital My Book Live storage devices involved the exploitation of not just one vulnerability but also a second critical security bug that allowed hackers to remotely perform a factory reset without a password, an investigation shows.
The vulnerability is remarkable because it made it trivial to wipe what is likely petabytes of user data. More notable still was that, according to the vulnerable code itself, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed.
Done and undone
The undocumented vulnerability resided in a file aptly named system_factory_restore. It contains a PHP script that performs resets, allowing users to restore all default configurations and wipe all data stored on the devices.
Normally, and for good reason, factory resets require the person making the request to provide a user password. This authentication ensures that devices exposed to the Internet can only be reset by the legitimate owner and not by a malicious hacker.
As the following script shows, however, a Western Digital developer created five lines of code to password-protect the reset command. For unknown reasons, the authentication check was cancelled, or in developer parlance, it was commented out, as indicated by the double / character at the beginning of each line.
function post($urlPath, $queryParams = null, $ouputFormat = ‘xml’) {
// if(!authenticateAsOwner($queryParams))
// {
// header(“HTTP/1.0 401 Unauthorized”);
// return;
// }
“The vendor commenting out the authentication in the system restore endpoint really doesn’t make things look good for them,” HD Moore, a security expert and the CEO of network discovery platform Rumble, told Ars. “It’s like they intentionally enabled the bypass.”
Tomi Engdahl says:
https://www.theverge.com/2021/6/29/22555959/wd-my-book-live-second-exploit-authentication-factory-reset-without-password-root-control
Tomi Engdahl says:
Black hat hackers have wiped many of Western Digital’s My Book Live devices due to older vulnerability and a 0-day bug. The zeroday is now being tracked as CVE-2021-35941. If you have one of these devices, you should unplug it from the internet before reading any further.
“The vendor commenting out the authentication in the system restore endpoint really doesn’t make things look good for them,”
The undocumented vulnerability resided in a file aptly named system_factory_restore that contains a PHP script. There were five lines of code to password-protect the reset command, but for unknown reasons, the authentication check was commented out.
Western Digital has published an update that says the company will provide data recovery services and a trade-in program.
Sources:
https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/
https://www.theverge.com/2021/6/29/22555959/wd-my-book-live-second-exploit-authentication-factory-reset-without-password-root-control
Tomi Engdahl says:
Ransomware Increasingly Detected on Industrial Systems: Report
https://www.securityweek.com/ransomware-increasingly-detected-industrial-systems-report
Trend Micro on Wednesday released a new report describing the threats affecting industrial control system (ICS) endpoints in 2020.
According to the report, ransomware infections saw a significant increase last year, mainly due to a rise in Sodinokibi (REvil), Ryuk, Nefilim and LockBit attacks launched between September and December.
The highest number of organizations that had their industrial systems hit by ransomware was seen by the cybersecurity firm in the United States, far more than in any other country. However, in terms of the percentage of organizations affected compared to the total number of organizations in the country, the U.S. was at an average level — the most impacted appear to be Vietnam, Spain and Mexico.
The report is based on data collected from ICS endpoints used to design, monitor and control industrial processes. These systems run industrial automation suites or serve as engineering workstations (EWS).
“Ransomware in ICSs can cause the loss of view or control of physical processes,” Trend Micro explained in its report. “Monitoring and control interfaces such as HMIs and EWS are reliant on image files (.jpg, .bmp, .png) and configuration files to render the interface; However, in ransomware attacks, data including configuration files and images end up encrypted, and therefore, unusable by the ICS software. Therefore, ransomware effectively cripples the HMI and EWS. This in turn leads to productivity and revenue losses for the facility.”
Tomi Engdahl says:
Thinking about selling your Echo Dotor any IoT device? Read this first https://arstechnica.com/gadgets/2021/07/passwords-in-amazon-echo-dots-live-on-even-after-you-factory-reset-them/
Deleting data from Echo Dotsand other IoT devices from Amazon and elsewhereis hard. Like most Internet-of-things (IoT) devices these days, Amazon’s Echo Dot gives users a way to perform a factory reset so, as the corporate behemoth says, users can “remove any… personal content from the applicable device(s)” before selling or discarding them. But researchers have recently found that the digital bits that remain on these reset devices can be reassembled to retrieve a wealth of sensitive data, including passwords, locations, authentication tokens, and other sensitive data.
Tomi Engdahl says:
Embedded cyber security – regulatory news update
https://www.etteplan.com/about-us/events-webinars/embedded-cyber-security-regulatory-news-update?utm_campaign=newsletter-3-2021&utm_content=newsletter&utm_medium=email&utm_source=apsis-anp-3&pe_data=D43445A477046455B45724541514B71%7C28920388
Secure development of devices and software is becoming a regulatory requirement in EU and USA
EU and USA are via “Proposed directive on measures for a high common level of cybersecurity across the Union” (NIS2) and “Executive Order on Improving the Nation’s Cybersecurity” taking major leaps forward in turning secure development of devices and software into a regulatory requirement, starting with critical infrastructure.
While EU is via NIS2 widely expanding the scope of critical infrastructure to include all manufacturers of electronical components & products and electrical equipment as Important Entities, EU is also preparing how cyber security compliance assessments will become a part of CE-marking via new and updated regulations including Cyber Security Act, Artificial Intelligence Act, Machinery Products Regulation, Radio Equipment Directive and likely also General Product Safety Directive (proposal for new GPSD expected during Q2/2021). In USA, the recent Executive Order will within one year start to regulate critical software purchased by federal government and define the approach for consumer IoT security regulation.
Tomi Engdahl says:
10 Critical Flaws Found in CODESYS Industrial Automation Software
https://thehackernews.com/2021/06/10-critical-flaws-found-in-codesys.html
All the six bugs have been rated 10 out of 10 on the CVSS scale —
CVE-2021-30189 – Stack-based Buffer Overflow
CVE-2021-30190 – Improper Access Control
CVE-2021-30191 – Buffer Copy without Checking Size of Input
CVE-2021-30192 – Improperly Implemented Security Check
CVE-2021-30193 – Out-of-bounds Write
CVE-2021-30194 – Out-of-bounds Read
Separately, three other weaknesses (CVSS scores: 8.8) disclosed in the Control V2 runtime system could be abused to craft malicious requests that may result in a denial-of-service condition or being utilized for remote code execution.
CVE-2021-30186 – Heap-based Buffer Overflow
CVE-2021-30188 – Stack-based Buffer Overflow
CVE-2021-30195 – Improper Input Validation
Tomi Engdahl says:
7-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access
https://thehackernews.com/2021/06/7-year-old-polkit-flaw-lets.html
GitHub Discloses Details of Easy-to-Exploit Linux Vulnerability
https://www.securityweek.com/github-discloses-details-easy-exploit-linux-vulnerability
Tomi Engdahl says:
https://www.edn.com/nist-iot-cybersecurity-guidelines-near-completion/
Tomi Engdahl says:
Key management for OT and IoT
https://docbox.etsi.org/Workshop/2018/201810_IoTWEEK/02_IoTWORKSHOP/S06_PART1_IoT_IN_ACTION/PKI_MNGT_OT_IoT_INFOCERT-RIZZO_ENEL-PUGNI.pdf
Tomi Engdahl says:
SECURITY ASPECTS OF SMART GRID COMMUNICATION(Spine title: Security Aspects of Smart Grid Communication)(Thesis format: Monograph)
https://core.ac.uk/download/pdf/61634042.pdf
Tomi Engdahl says:
Unified Field Area Network Architecture for Distribution Automation
https://www.cisco.com/c/dam/en_us/solutions/industries/docs/energy/ida_wp.pdf
Tomi Engdahl says:
file:///C:/Users/hengtom/AppData/Local/Temp/APN-051%20Setting%20up%20RBAC%20for%20Siemens%20Digital%20Grid%20Products.pdf