The 1.5 Billion Dollar Market: IoT Security

https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.

1,724 Comments

  1. Tomi Engdahl says:

    Insteon’s Smart Home Cloud Closes Down, But the Open Source Home Assistant Leaps to the Rescue
    A bankruptcy means Insteon devices are no longer smart, but Home Assistant stands ready to take over — and run entirely locally, too.
    https://www.hackster.io/news/insteon-s-smart-home-cloud-closes-down-but-the-open-source-home-assistant-leaps-to-the-rescue-e4dbd26c78ce

    Reply
  2. Tomi Engdahl says:

    Unfixed vulnerability in popular library puts IoT products at risk | Malwarebytes Labs
    https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/unfixed-vulnerability-in-popular-library-puts-iot-products-at-risk/
    Researchers have found a vulnerability in a popular C standard library in IoT products that could allow attackers to perform DNS poisoning attacks against a target device.
    The library is known to be used by major vendors such as Linksys, Netgear, and Axis, but also by Linux distributions such as Embedded Gentoo. Because the library maintainer was unable to develop a fix, this vulnerability remains unpatched. For this reason, the affected devices were not mentioned in detail.
    In this case, the library at hand is uClibc, one of the possible C standard libraries available, which focuses specifically on embedded systems because of its size. Because uClibc is a relatively small C standard library intended for Linux kernel-based operating systems for embedded systems and mobile devices. Features can be enabled or disabled to match space requirements.
    One of the main ingredients to protect us against DNS poisoning is the transaction ID. This is a unique number per request that is generated by the client, added in each request sent, and that must be included in a DNS response to be accepted by the client as the valid one for that particular request. So while this transaction ID should be as random as possible, the researchers found that there is a pattern. At first the transaction ID is incremental, then it resets to the value 0×2, then it is incremental again.
    While figuring out where this pattern comes from, the researchers eventually found out that the code responsible for performing the DNS requests is not part of the instructions of the executable itself, but is part of the C standard library in use, namely uClibc 0.9.33.2.
    Given that the transaction ID is now predictable, to exploit the vulnerability an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server. As the function does not apply any explicit source port randomization, it is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port.
    Mitigation
    Since the library maintainer has indicated he is unable to develop a fix, this vulnerability remains unpatched. The researchers are working with the maintainer of the library and the broader community in order to find a solution. The maintainer explicitly asked to publicly disclose the vulnerability, hoping for help from the community.
    Because of the absence of a fix, the researchers did not disclose the specific devices that they found to be vulnerable. They did however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure.
    The vulnerability was disclosed to 200+ vendors invited to the VINCE case by CERT/CC since January 2022, and a 30-day notice was given to them before the public release.
    If you suspect that your router has been affected by DNS cache poisoning, have a look at our article DNS Hijacks: Routers where you will find some information on how to resolve such matters. When it is purely a case of router DNS caching, I have yet to find a router where resetting the router and leaving it off for at least 30 seconds did not clear the cache. But note that this does not resolve an ongoing attack or remove the vulnerability. It’s just a matter of symptom management.

    Reply
  3. Tomi Engdahl says:

    Pre-Boot Security Gets More Secure
    March 12, 2021
    Lattice Semiconductor takes its Sentry security solution to the next level, with boot times improving by up to 400%.
    https://www.electronicdesign.com/industrial-automation/article/21156604/electronic-design-preboot-security-gets-more-secure

    Lattice Semiconductor has been shipping the initial version of its Sentry pre-boot security solution for a while now, but heightened security requires even more robust hardware support. Its Mach-NX secure FPGA platform implements Sentry version 1. The new Sentry 2.0 (Fig. 1) provide enhancements to all aspects of the system. This includes support for 384-bit elliptical curve cryptography (ECC) while significantly increasing Elliptic Curve Digital Signature Algorithm (ECDSA) speed. SHA hashing speed has more than quadrupled.

    Reply
  4. Tomi Engdahl says:

    Businesses are adding more cloud connection requirements to IoT/OT environments that were designed to be closed loops. In a truly air-gapped environment, most if not all communications between devices are considered trustworthy without extensive validation. With increased internet connectivity and the risks that come with it trust needs to be earned.

    Reply
  5. Tomi Engdahl says:

    https://hackaday.com/2022/05/13/this-week-in-security-f5-twitter-poc-certifried-and-cloudflare-pages-pwned/
    TLStorm 2

    Are you running Aruba or Avaya hardware? Time to check for firmware updates, as Armis just released the TLStorm 2 disclosure. It’s similar to the earlier problems found in APC battery backups. Once again, the nanoSSL library is embedded in device firmware, and there are flaws both in the library and the integration. In both brands, the flaws allow for pre-auth RCE, but thankfully these interfaces aren’t normally exposed to the open internet.

    TLStorm 2 – NanoSSL TLS library misuse leads to vulnerabilities in common switches
    https://www.armis.com/blog/tlstorm-2-nanossl-tls-library-misuse-leads-to-vulnerabilities-in-common-switches

    Armis has discovered five vulnerabilities in the implementation of TLS communications in multiple models of Aruba and Avaya switches. The vulnerabilities stem from a similar design flaw identified in the TLStorm vulnerabilities (discovered earlier this year by Armis) and expand the reach of TLStorm to potentially millions of additional enterprise-grade network infrastructure devices.

    In March 2022, Armis disclosed TLStorm – a set of critical vulnerabilities in APC Smart-UPS devices. The vulnerabilities allow an attacker to take control over Smart-UPS devices from the internet with no user interaction and make the UPS literally go up in smoke. The root cause for these vulnerabilities was a misuse of NanoSSL, a popular TLS library by Mocana.

    Reply
  6. Tomi Engdahl says:

    Researchers Find Way to Run Malware on iPhone Even When It’s OFF https://thehackernews.com/2022/05/researchers-find-way-to-run-malware-on.html
    A first-of-its-kind security analysis of iOS Find My function has demonstrated a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that’s executed while an iPhone is “off.”. The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC), and ultra-wideband (UWB) continue to operate while iOS is shut down when entering a “power reserve” Low Power Mode (LPM).

    Reply
  7. Tomi Engdahl says:

    Defending the Healthcare Security Landscape in the Age of Connected Devices
    https://www.securityweek.com/defending-healthcare-security-landscape-age-connected-devices

    Reply
  8. Tomi Engdahl says:

    STMicro Teams with AWS, Microsoft on IoT Development
    May 12, 2022
    STMicroelectronics joins forces with AWS for secure IoT links to its cloud and with Microsoft on quicker development of highly secure IoT devices.
    https://www.electronicdesign.com/technologies/embedded-revolution/article/21241681/microwaves-rf-stmicro-teams-with-aws-microsoft-on-iot-development?utm_source=EG+ED+Connected+Solutions&utm_medium=email&utm_campaign=CPS220510036&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R

    In separate collaborative efforts with Amazon Web Services (AWS) and Microsoft, STMicroelectronics is extending its reach into the IoT realm. On the AWS front, STMicro now offers a reference implementation that makes for easier and secure connection of IoT devices to the AWS cloud. Meanwhile, in a joint effort with Microsoft, STMicro has endeavored to strengthen the security of emerging IoT applications.

    Reply
  9. Tomi Engdahl says:

    New Bluetooth Hack Could Let Attackers Remotely Unlock Smart Locks and Cars https://thehackernews.com/2022/05/new-bluetooth-hack-could-let-attackers.html
    A novel Bluetooth relay attack can let cybercriminals more easily than ever remotely unlock and operate cars, break open residential smart locks, and breach secure areas. The vulnerability has to do with weaknesses in the current implementation of Bluetooth Low Energy (BLE), a wireless technology used for authenticating Bluetooth devices that are physically located within a close range.

    Reply
  10. Tomi Engdahl says:

    DOJ Announces It Won’t Prosecute White Hat Security Researchers https://www.vice.com/en/article/v7d9nb/department-of-justice-security-researchers-new-cfaa-policy
    On Thursday the Department of Justice announced a policy shift in that it will no longer prosecute good-faith security research that would have violated the country’s federal hacking law the Computer Fraud and Abuse Act (CFAA).

    Reply
  11. Tomi Engdahl says:

    IoT Security: Backdooring a smart camera by creating a malicious firmware upgrade
    https://www.youtube.com/watch?v=hV8W4o-Mu2o

    In this video we look at reverse engineering a basic firmware format of a commonly found IoT camera – and then creating a backdoored firmware that calls back to our command & control server and allows us to remotely control it!

    Camera in the video: Wyze Cam v2

    https://github.com/ghidraninja/wyze_scripts/tree/master

    Reply
  12. Tomi Engdahl says:

    FreeRTOS boost with secure microcontroller deals
    Business news | May 16, 2022
    https://www.eenewseurope.com/en/freertos-boost-with-secure-microcontroller-deals/

    Following a deal with STMicroelectronics, Amazon has also developed cloud integrations for its FreeRTOS real time operating system with secure microcontrollers from NXP using ARM and Espressif using RISC-V. The FreeRTOS IoT integrations with the Amazon Web Services (AWS) cloud are designed for improved security using a combination of FreeRTOS…

    Reply
  13. Tomi Engdahl says:

    Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1
    2022
    https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/
    Popular for compromising internet-connected devices and conducting distributed denial of service (DDoS) attacks, Mirai malware variants have been known to compromise devices that run on Linux builds ranging from mobile and Internet of Things (IoT) devices to cloud infrastructures. According to internal and open-source data analyzed by the CrowdStrike malware research team, while the ARM CPU architecture (used in most mobile and IoT devices) remains the most prevalent among Mirai variants, the number of 32-bit x86 Mirai variants (used on Linux servers and networking equipment) increased by 120% in Q1 2022 compared to Q1 2021.

    Reply
  14. Tomi Engdahl says:

    Critical Flaws in Popular ICS Platform Can Trigger RCE | Threatpost
    https://threatpost.com/critical-flaws-in-popular-ics-platform-can-trigger-rce/179750/
    Cisco Talos discovered eight vulnerabilities in the Open Automation Software, two of them critical, that pose risk for critical infrastructure networks.
    Critical flaws in a popular platform used by industrial control systems (ICS) that allow for unauthorized device access, remote code execution (RCE) or denial of service (DoS) could threaten the security of critical infrastructure.
    Researchers Jared Rittle of Cisco Talos discovered a total of eight vulnerabilities—two of them critical–in the Open Automation Software (OAS) Platform, the most serious of which allows an attacker to execute arbitrary code on a targeted machine, according to a blog post published this week. The flaws affect Open Automation Software OAS Platform, version 16.00.0112.
    Vulnerability Spotlight: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
    https://blog.talosintelligence.com/2022/05/vuln-spotlight-open-automation-platform.html
    Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service.
    The OAS Platform facilitates the simplified data transfer between various proprietary devices and applications, including software and hardware.
    The most serious of these issues is TALOS-2022-1493 (CVE-2022-26082), which an attacker could exploit to gain the ability to execute arbitrary code on the targeted machine. This issue has a severity score of 9.1 out of a possible 10. Another vulnerability, TALOS-2022-1513 (CVE-2022-26833) has a 9.4 severity score and could lead to the unauthenticated use of the REST API.

    Reply
  15. Tomi Engdahl says:

    Researchers Devise Attack Using IoT and IT to Deliver Ransomware Against OT
    https://www.securityweek.com/researchers-devise-attack-using-iot-and-it-deliver-ransomware-against-ot

    Critical industries must prepare themselves for a new wave of ransomware attacks specifically targeting OT

    Ransomware is a category of extortion. Its sole purpose is to extract money from the victim. As industry got better at avoiding ransom demands, the attackers added another level of extortion – data blackmail to create ‘double extortion’.

    As defenders get better at fending off double extortion, the attackers will evolve again. The most obvious path will be to attack operational technology (OT) rather than just IT. Attacks against OT are more difficult to achieve, but the effect is equally more difficult to mitigate. The evolution of cyber extortion makes this more than just a possible development.

    Forescout’s Vedere Labs has published a proof of concept (PoC) for a ‘ransomware’ attack that uses IoT for access, IT for traversal, and OT (especially PLCs) for detonation. It is called R4IoT and is described as the next generation of ransomware.

    The worrying aspect of this PoC is that it requires nothing new. IoT access was chosen because of the growth in IoT devices that generally receive less defensive attention than other parts of the network. Such access is likely to increase.

    The IT side of the operation is not discussed in detail within the report because the issues are well known if not yet well solved. Instead, the report focuses on IoT and OT embedded devices. “One thing that ties together both the initial access and impact possibilities brought by embedded IoT and OT devices is the increasing number of supply chain vulnerabilities affecting millions of these devices at the same time,” says the report. The researchers call out Project Memoria affecting TCP/IP stacks, BadAlloc affecting RTOSes, Access:7 affecting a popular IoT management platform and vulnerabilities in the BusyBox application used by many Linux devices.

    Nevertheless, the progress of R4IoT ransomware is briefly described. It maps the different machines on the network, and uses the NTLM hash of the administrator’s account and the WMI functionality within impacket to connect to each. There it disables Windows firewall and Windows Defender, and drops other R4IoT executables (a crypto miner and a Memoria executable that will launch DoS attacks against critical IoT/OT assets). A modified version of the Racketeer toolkit provides C&C Server/Agent functionalities. On demand from the C&C Server, the C&C Agent can encrypt or decrypt files on the infected machine, can exfiltrate files and launch arbitrary executables with admin privileges.

    The drama of the report focuses on the damage that can be done if an attacker succeeds in gaining access to IT via an IoT device, and then gains access to the OT via IT/OT convergence. Some harm could be done at Purdue Level 2 and above because those are regular Windows/Linux machines. But Forescout focuses on attacking the PLCs, since the effect is more dramatic, immediate and difficult to mitigate. It looks at internally delivered DoS attacks since PLCs are rarely exposed to the outside world.

    There are more than half a million devices running TCP/IP stacks vulnerable to Project Memoria in organizations in almost every industry vertical. Exploiting these devices with similar and simple denial of service attacks gives the attackers the ability to disrupt many types of organizations.

    Once the PLCs are effectively taken down by the DoS, the damage is done. Critical parts of the companies’ functioning can be halted, whether that’s a conveyor belt or an infusion pump.

    “The protection window has passed,” Daniel dos Santos, head of security research at Forescout Vedere Labs told SecurityWeek. “To give an extreme example, if it is connected to a poor gas pipeline and measuring pressure conditions, things could explode. That’s the main issue with OT – if the attacker reaches that point and can cause the device to go offline or to change some settings in the device, the physical danger becomes much more present; and probably much more critical than any danger to the data.”

    “R4IoT,” continues dos Santos, “is the first work to analyze how ransomware can impact IoT, and delivers a full proof-of-concept from initial access via IoT to lateral movement in the IT network, and subsequent impact on the OT network. Threat actors are exploiting a broader threat surface than before, and we see hacking groups discuss IoT access on forums today. It has become imperative to arm organizations with knowledge to extend their proactive defenses and ensure IoT devices have adequate segmentation from their critical IT and OT infrastructure.”

    R4IoT: When Ransomware Meets IoT and OT
    https://www.forescout.com/research-labs/r4iot/

    Forescout’s Vedere Labs has released a demonstration, report and detailed playbook describing how organizations can protect themselves against R4IoT: a novel, proof-of-concept ransomware that exploits an IoT device to gain access and move laterally in an IT network and impact the OT network. This demonstration is backed by rigorous research into IT, OT and IoT asset vulnerabilities as well as current ransomware trends. Specifically, it shows how ransomware could evolve based on:

    The proliferation of IoT devices in organizations
    The convergence of IT and OT networks

    R4IoT exploits the first trend by using exposed vulnerable devices such as an IP camera or a NAS as the initial access point. It exploits the second trend to hold OT devices hostage, thus adding another layer of extortion to an attack campaign.

    Reply
  16. Tomi Engdahl says:

    Vendor Refuses to Remove Backdoor Account That Can Facilitate Attacks on Industrial Firms
    https://www.securityweek.com/vendor-refuses-remove-backdoor-account-can-facilitate-attacks-industrial-firms

    Korenix JetPort industrial serial device servers have a backdoor account that could be abused by malicious hackers in attacks aimed at industrial organizations, but the vendor says the account is needed for customer support.

    The existence of the backdoor account, tracked as CVE-2020-12501, was discovered by Austria-based cybersecurity consultancy SEC Consult in 2020, but it was only made public now, after a lengthy disclosure process that ended with the vendor saying that the account will not be removed.

    The account in question can be exploited by an attacker on the network to access the device’s operating system and gain full control. The attacker could reconfigure the device and possibly gain access to other systems attached to the server.

    The issue was identified in the Korenix JetPort 5601V3 product, which is designed for connectivity in industrial environments. SEC Consult believes other products — including Westermo and Comtrol branded industrial devices — may also be impacted.

    SEC Consult told SecurityWeek that the backdoor account has the same password on all devices as it’s stored in the firmware. Once an attacker has cracked the password — the password is not stored in clear text and needs to be cracked — it can be used to attack all affected devices. Moreover, the password cannot be changed by the user.

    The vendor told SEC Consult the backdoor account is needed for customer support and argued that the password “can’t be cracked in a reasonable amount of time.”

    SEC Consult admitted that it could not immediately crack the password, but it has not put too much effort into the task. The password hash has not been made public, but it can easily be extracted from the firmware.

    Backdoor account in Korenix Technology JetPort Series
    https://sec-consult.com/vulnerability-lab/advisory/backdoor-account-in-korenix-technology-jetport-series/

    The device series JetPort from Korenix Technology has a built-in backdoor account. If the corresponding credentials are known to an attacker, he/she can directly access the operating system of the device via the local network (or via NAT). Therefore, an attacker can gain full access.

    Reply
  17. Tomi Engdahl says:

    Europol Announces Takedown of FluBot Mobile Spyware
    https://www.securityweek.com/europol-announces-takedown-flubot-mobile-spyware

    Europol today announced the takedown of FluBot, a piece of mobile malware targeting both Android and iOS devices that has been fast-spreading via SMS messages.

    Also referred to as Fedex Banker and Cabassous, the spyware has been around since late 2020, mainly focused on users in Europe, but with attacks also registered in the United States, Australia, Japan, New Zealand, and elsewhere.

    The threat spreads using a technique known as smishing, which involves SMS phishing messages that attempt to lure victims into clicking a link to download the malicious payload.

    Initially, the spyware only targeted Android devices, but recent campaigns were seen targeting iOS devices as well. Security researchers have reported seeing tens of thousands of SMS messages being sent hourly as part of these widespread attacks.

    Reply
  18. Tomi Engdahl says:

    Paperiliitin näppäimistössä pysäytti junat Liikenne seisoi tunnin lauantaina viikko sitten Etelä-Suomessa
    TILAAJILLE
    Rimmi Riitta
    20.4.1997 3:00
    RIITTA RIMMI Junaliikenne Etelä-Suomen pääradoilla tyssäsi launtaiyönä viikko sitten noin tunniksi tyystin, kun Pasilan liikenteenohjauksessa tietokoneen näppäimistö oli jumiutunut. VR-Rata Oy:n projektipäällikön Kimmo Ståhlbergin mukaan näppäimistön lukkiutuminen johtui nähtävästi siitä, että sen sisään oli luikahtanut paperiliitin.
    https://www.hs.fi/kotimaa/art-2000003617345.html

    Reply
  19. Tomi Engdahl says:

    Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks https://thehackernews.com/2022/06/researchers-demonstrate-ransomware-for.html
    As ransomware infections have evolved from purely encrypting data to schemes such as double and triple extortion, a new attack vector is likely to set the stage for future campaigns. Called Ransomware for IoT or R4IoT by Forescout, it’s a “novel, proof-of-concept ransomware that exploits an IoT device to gain access and move laterally in an IT network and impact the OT network.”. This potential pivot is based on the rapid growth in the number of IoT devices as well as the convergence of IT and OT networks in organizations.

    Reply
  20. Tomi Engdahl says:

    CISA Warns of Critical Vulnerabilities in Illumina Genetic Analysis Deviceshttps://www.securityweek.com/cisa-warns-critical-vulnerabilities-illumina-genetic-analysis-devices

    The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued an advisory to warn of critical vulnerabilities in Illumina genetic analysis devices that could allow a remote, unauthenticated attacker to take over an impacted product.

    The flaws affect Illumina Local Run Manager (LRM), which is used by sequencing instruments designed for clinical diagnostic use in the sequencing of a person’s DNA, testing for various genetic conditions, as well as research.

    The vulnerabilities CISA is warning about – four “critical severity” and one “high severity” – can be exploited to execute arbitrary code, to achieve directory traversal, upload arbitrary files, connect without authentication, and perform man-in-the-middle attacks.

    Tracked as CVE-2022-1517, CVE-2022-1518, and CVE-2022-1519, the most severe of these vulnerabilities feature a CVSS score of 10. They allow for remote code execution at operating system level (LRM runs with elevated privileges), the upload of data outside the intended directory structure, and the upload of arbitrary files, respectively.

    The fourth critical issue – CVE-2022-1521, CVSS score of 9.1 – exists because, by default, LRM does not feature authentication or authorization, which may allow an attacker to inject, intercept, or tamper with sensitive data.

    Tracked as CVE-2022-1524 (CVSS score of 7.4), the fifth vulnerability exists because TLS encryption is missing in LRM version 2.4 and lower, thus allowing a malicious actor to perform a man-in-the-middle attack and access in-transit sensitive data.

    “Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to take control of the affected product remotely and take any action at the operating system level. An attacker could impact settings, configurations, software, or data on the affected product and interact through the affected product with the connected network,” CISA notes.

    Reply
  21. Tomi Engdahl says:

    Industry’s First Microcontroller Integrated with a Robust Secure Subsystem and Arm® TrustZone® Technology
    Microchip releases Arm Cortex®-M23 based microcontroller supported with secure key provisioning solutions
    https://www.microchip.com/en-us/about/news-releases/products/industry-s-first-microcontroller-integrated-with-a-robust-secure

    Reply
  22. Tomi Engdahl says:

    Critical U-Boot Vulnerability Allows Rooting of Embedded Systems
    https://www.securityweek.com/critical-u-boot-vulnerability-allows-rooting-embedded-systems

    A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group.

    An open-source boot loader, U-Boot is used in various types of embedded systems, including ChromeOS and Android. It supports multiple architectures, including 68k, ARM, x86, MIPS, Nios, PPC, and more.

    NCC Group explains that the IP defragmentation algorithm implemented in U-Boot is plagued by two vulnerabilities that can be exploited from the local network by crafting malformed packets.

    Tracked as CVE-2022-30790 (CVSS score of 9.6), the first of the vulnerabilities exposes the defragmentation algorithm to a hole descriptor overwrite attack, NCC’s researchers say.

    Because of this security bug, the metadata and fragment can be forged to point to the same location, which leads to the metadata being overwritten with fragmented data.

    An attacker can trigger an arbitrary write by sending a second fragment, “whose offset and length only need to fit within the hole pointed to by the previously controlled metadata.”

    Reply
  23. Tomi Engdahl says:

    #RSAC: How to Fix IoT Security with Digital Twins https://www.infosecurity-magazine.com/news/rsac-how-to-fix-iot-security/
    The need to protect internet of things (IoT) devices is an ongoing concern as the volume of connected devices continues to proliferate.

    Reply
  24. Tomi Engdahl says:

    8 zero-day vulnerabilities discovered in popular industrial control system from Carrier https://therecord.media/8-zero-day-vulnerabilities-discovered-in-popular-industrial-control-system-from-carrier/
    Eight zero-day vulnerabilities affecting a popular industrial control provided by Carrier have been identified and patched, according to security researchers from Trellix who discovered the issues.

    Reply
  25. Tomi Engdahl says:

    New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing https://thehackernews.com/2022/06/new-privacy-framework-for-iot-devices.html
    A newly designed privacy-sensitive architecture aims to enable developers to create smart home apps in a manner that addresses data sharing concerns and puts users in control over their personal information.

    Reply
  26. Tomi Engdahl says:

    Bluetoothista paljastui uusi tietoturvariski vain laitteen sammuttaminen kokonaan estää säteilyn
    https://www.tivi.fi/uutiset/tv/7078eab9-3b9c-44da-8ae5-4c0b64853118
    Pienet erot laitteiden valmistusprosesseissa muodostavat jokaiselle laitteelle yksilöllisen “sormenjäljen”.

    Reply
  27. Tomi Engdahl says:

    Industroyer: A cyberweapon that brought down a power grid https://www.welivesecurity.com/2022/06/13/industroyer-cyber-weapon-brought-down-power-grid/
    Five years ago, ESET researchers released their analysis of the first ever malware that was designed specifically to attack power grids

    Reply
  28. Tomi Engdahl says:

    Verkon äly ja reunalaskenta tuovat uusia uhkia
    https://www.uusiteknologia.fi/2022/06/14/verkon-aly-ja-reunalaskenta-tuovat-uusia-uhkia/

    Uudet älykkäät toiminnat ja reunalaskentaratkaisut tuovat tietoverkkojen toimintaan omat haasteensa, arvioidaan alan yleiseurooppalaisessa tutkimushankkeessa, joka jatkuu vuoteen 2024. Hankkeessa kehitetään tietoturvaongelmiin uusia tekoäly- ja automaattiratkaisuja.

    Tietoverkkojen rooli yhteiskunnan kriittisten toimintojen turvaamisessa kasvaa. Samalla tietoverkkoihin ja myös viranomaisverkkoihin kohdistuu uusia uhkia. Niitä selvittää uusi eurooppalainen AI-NET-ANTILLAS-hanke.

    Esimerkiksi uudet 5G-ja 6G-teknologiat laajentavat verkkojen toiminnallisuutta. Automaatio lisääntyy, ja palvelut siirtyvät pilveen ja verkon reunoille.

    Reply
  29. Tomi Engdahl says:

    New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing
    https://thehackernews.com/2022/06/new-privacy-framework-for-iot-devices.html

    A newly designed privacy-sensitive architecture aims to enable developers to create smart home apps in a manner that addresses data sharing concerns and puts users in control over their personal information.

    Dubbed Peekaboo by researchers from Carnegie Mellon University, the system “leverages an in-home hub to pre-process and minimize outgoing data in a structured and enforceable manner before sending it to external cloud servers.”

    Peekaboo operates on the principle of data minimization, which refers to the practice of limiting data collection to only what is required to fulfill a specific purpose.

    To achieve this, the system requires developers to explicitly declare the relevant data collection behaviors in the form of a manifest file that’s then fed into an in-home trusted hub to transmit sensitive data from smart home apps such as smart doorbells on a need-to-know basis.

    The hub not only functions as a mediator between raw data from IoT devices and the respective cloud services, it also enables third-party auditors to vet an app developer’s data collection claims.

    The manifest file, for its part, is analogous to Android’s “AndroidManifest.xml” file that details the permissions an app needs in order to access protected parts of the system or other apps.

    But while it is more of a binary approach in Android where apps are either unilaterally allowed or denied access to a specific feature (e.g., camera), Peekaboo makes it possible to define the data collection practices in a more adjustable manner — the kind of data to be gathered, when it should be carried out, and how frequently.

    “With Peekaboo, a user can install a new smart home app by simply downloading a manifest to the hub rather than a binary,” the researchers explained.

    “This approach offers more flexibility than permissions, as well as a mechanism for enforcement. It also offers users (and auditors) more transparency about a device’s behavior, in terms of what data will flow out, at what granularity, where it will go, and under what conditions.”

    “Peekaboo offers a hybrid architecture, where a local user-controlled hub pre-processes smart home data in a structured manner before relaying it to external cloud servers,” the researchers said.

    Reply
  30. Tomi Engdahl says:

    Siemens, Motorola, Honeywell and more affected by 56 ICEFALL’
    vulnerabilities
    https://therecord.media/siemens-motorola-honeywell-and-more-affected-by-56-icefall-vulnerabilities/
    Security researchers have discovered 56 new vulnerabilities collectively known as “ICEFALL” that affect several of the largest operational technology (OT) equipment manufacturers supplying critical infrastructure organizations. The vulnerabilities affect Siemens, Motorola, Honeywell, Yokogawa, ProConOS, Emerson, Phoenix Contract, Bentley Nevada, Omron and JTEKT. Discovered by researchers with Forescout, the 56 vulnerabilities were disclosed in coordination with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies around the world.

    Reply
  31. Tomi Engdahl says:

    OT:Icefall: 56 vulnerabilities plague OT devices from 10 different major industrial manufacturers
    https://www.securityweek.com/basecamp-icefall-secure-design-ot-makes-little-headway

    Ten years ago, Project Basecamp introduced SCADA exploits into Metasploit. The hope was that it would encourage a ‘Firesheep Moment’ (that is, the rapid solution to a long-known security issue following publication of an exploit); and more specifically, persuade manufacturers to introduce ‘security by design’. Ten years on, researchers have examined whether it worked – and it hasn’t.

    In 2013, Dale Peterson, founder and CEO at Digital Bond and contributor to Project Basecamp wrote, “We coined the term of Insecure By Design as part of Project Basecamp… Most ICS vulnerabilities matter little because most ICS protocols and controllers are Insecure By Design.”

    Ten years after Basecamp, Vedere researchers at Forescout have conducted their own project, dubbed OT:Icefall, so named because Icefall is the second stop on the Everest route after Basecamp, to see if anything has changed. The conclusions are not reassuring.

    “Typically, we focus our research on program error vulnerabilities,” Daniel dos Santos, head of security research at Forescout, told SecurityWeek. But most OT malware – Industroyer, Triton, Incontroller – doesn’t use programming error vulnerabilities. Instead, they use flaws in the protocols, the authorization, certifications: in fact, they use the weaknesses that shouldn’t be there if the products were not insecure by design.

    Forescout found 56 insecure by design problems in ten manufacturers, including Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.
    “We wanted to see how much has changed over the last decade since Project Basecamp – and unfortunately it’s not much.” It’s as if there is a conspiracy of silence over insecure OT design. These flaws are rarely assigned CVEs and are often effectively ignored by both the vendors and the users.

    The issues are not new. Many of the products were designed long ago and are still operational and still being manufactured. Vendors are trying to improve them; but a wholesale switch to new products is not a viable solution for users. Even patching products where continuity of operation is essential is a heavy lift for OT operators.

    Discovered flaws are often not given CVEs, are often not patched by vendors, and can be ignored by users. After all, some of them are deep in products that are supposedly isolated from the internet in products not accessible by attackers.

    But security by obscurity does not work. The motivation for attacks against OT is growing – both for geopolitical nation state reasons and for criminal extortion attacks. Criminals can use the same vulnerability research methods used by researchers such as Forescout’s Vedere.

    “Criminals can buy these products secondhand on Ebay and can then go through the same process of reverse engineering that we use. It’s not as difficult as people tend to think,” he added. “For the simplest types of protocols, it took us from one day to two weeks to understand the protocol and be able to interact and exploit things. For more complicated systems, with multiple devices and multiple types of protocols, it takes more like six man-months to understand the product family – so a group could do it in just a couple of months.”

    The result is that attacks against critical industries and infrastructure are less difficult than we might assume – from disruption to ransomware and even wipers.

    Dos Santos raised an additional problem with SecurityWeek; poor product certifications. “There has been a push for security certification of products – but the effect could lead to a false sense of security. Around 70% of the devices that we analyzed had some sort of security label on them, but still they had basic issues. Part of the cause has been the unwillingness to assign CVEs in the past, but other causes are limited evaluations and imprecise security definitions.”

    He also noted a supply chain issue. “We didn’t focus on the supply chain, we focused on specific devices. But we found some vulnerabilities that were assigned previously to a PLC runtime – assigned by the original vendor of the software – that didn’t make it downstream to all the other vendors that were using that software. That speaks to the problem of not having software bills of materials (SBOM), not understanding precisely what components are in each device, and having vulnerable things that are not always identified. They are known to be vulnerable at the source but never make it down to other vendors.”

    The overriding message from this research is that easy-to-find vulnerabilities are rife in OT devices. The problems are partly historical, but not easy to solve.

    Reply
  32. Tomi Engdahl says:

    Industry Reactions to ‘OT:Icefall’ Vulnerabilities Found in ICS Products
    https://www.securityweek.com/industry-reactions-oticefall-vulnerabilities-found-ics-products

    Cybersecurity firm Forescout has disclosed OT:Icefall, a collection of 56 vulnerabilities discovered across the products of ten companies that make operational technology (OT) systems.

    Forescout researchers discovered issues related to insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware update mechanisms, and native functionality abuse.

    The security holes impact various types of industrial control systems (ICS), including engineering workstations, PLCs, distributed control systems, building controllers, safety instrumented systems, remote terminal units, and SCADA systems. Exploitation of the flaws can lead to remote code execution, DoS attacks, firmware manipulation, compromised credentials, and authentication bypass.

    Affected vendors include Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. These companies have started sharing mitigations for the vulnerabilities.

    From Basecamp to Icefall: Secure by Design OT Makes Little Headway
    https://www.securityweek.com/basecamp-icefall-secure-design-ot-makes-little-headway

    Reply
  33. Tomi Engdahl says:

    https://www.securityweek.com/industry-reactions-oticefall-vulnerabilities-found-ics-products

    Ron Fabela, Co-founder and CTO, SynSaber:

    “While the breadth and depth of the vulnerabilities identified in OT:ICEFALL seem like a doomsday scenario, Forescout has just outlined what many of us in the industry already know: Protocols are not secure, unauthenticated, and other ‘insecure by design’ engineering choices that were never really meant to be CVEs. Again, these are not vulnerabilities as information security would identify them, but truly ‘that’s not a bug, it’s a feature’ for industrial.

    Protocols were designed to not use authentication, and although there are secure options for industrial protocols, there has been slow adoption. ‘Protocol does not use authentication’ could generate thousands of CVEs across multiple vendors and business lines, because there was never meant to be authentication. But does generating thousands of CVEs, tying up vendor product security teams and asset owners, really cause a positive impact on the security of our critical infrastructure? The OT:ICEFALL report is well constructed, highly detailed, and great insight from a security perspective on legacy ICS ‘vulnerabilities,’ however, because CVE numbers are being generated, this will trigger a swell of unnecessary tracking and management of vulnerabilities with no patch and few mitigations.”

    Chris Olson, CEO, The Media Trust:

    “The ongoing convergence of information technology (IT) and operational technology (OT) has paved the way to an ever-expanding host of OT vulnerabilities that will continue to threaten public safety and national security for years to come. Even when OT systems are designed with cybersecurity in mind, an unsafe IT perimeter creates channels which global cyber actors can use to compromise critical infrastructure, especially when remote industrial control systems (ICS) come into play.”

    Deral Heiland, Principal Security Researcher, Rapid7:

    “A number of these discovered vulnerabilities are related to hard coded or default credentials. While not new issues, hard coded and default credential vulnerabilities have been haunting the industry for quite some time and are often the most typical issues found within embedded technology solutions, including Medical, Industrial (OT) and Consumer grade devices. I highly recommend all vendors of embedded technology devices (OT, IoT) start out by applying NIST Document NISTR 8259 ‘IoT Device Cybersecurity Capability Core Baseline’ guidelines to their products. This will at least solve some of the core issues that we continue to encounter.”

    Chris Clements, VP of Solutions Architecture, Cerberus Sentinel:

    “One may incorrectly assume that the industrial control and operational technology devices that perform some of the most vital and sensitive tasks in critical infrastructure environments would be among the most heavily secured systems in the world, yet the reality is often the exact opposite. Far too many devices in these roles have security controls that are frighteningly easy for attackers to defeat or bypass to take complete control of the devices.

    I believe this is an industry that is experiencing a long overdue cybersecurity reckoning. Manufacturers of sensitive operational technology devices must adopt a culture of cybersecurity that starts at the very beginning of the design process but continues through to validating the resulting implementation in the final product. It’s also critical that organizations are honest about their ability to perform such validations themselves. Schneier’s law famously posited this limitation almost two and a half decades ago: ‘Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break. It’s not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis.’

    Manufacturers should heed this advice and recruit personnel or contract with outside organizations with experience in breaking the systems they make to validate that the final product is as secure as possible against exploitation by threat actors who have advanced sophistication and powerful motivation to compromise the critical infrastructure customers who use their devices.”

    Ryan Cribelar, Vulnerability Research Engineer, Nucleus Security:

    “Insecure-by-design is coming back to haunt us with the release of these Icefall vulnerabilities. The introduction of more complex IT systems on top of the dusty OT/ICS systems has allowed attackers to find some of the most basic flaws in our most vital technology. From a security methodology perspective, a long time ago folks decided that with the CIA model in mind, availability and integrity were more important than confidentiality as it relates to OT systems and ICS environments. If something running is keeping someone alive, it needs to be available, and we need to ensure it is functioning properly and as expected. This logic was innocent in its intent because cyberattacks were of, basically, no concern! There are OT networks out there that were built without any thought to a cyberattack, because they simply didn’t exist yet.

    The layering of additional IoT and IT devices has given attackers a pickaxe to start digging at what is behind them, OT and ICS. There are hosts of malware being made to specifically target critical infrastructure which is something that is fairly new in the space. This needs to be met with a daring, aggressive response that looks to learn from our mistakes with insecure-by-design OT and ICS systems. A lack of response to engage in mitigation of a vulnerability found in OT or ICS environments can be caused by something as simple as a missing CVE! Some vulnerabilities discovered in OT go under the radar simply because everyone knows OT is insecure. One could argue the recent events surrounding the war in Ukraine are catalysts for attackers to understand, learn from and discover new attack vectors for OT and ICS environments.”

    Rajiv Pimplaskar, CEO, Dispersive Holdings:

    “As the report illustrates, critical infrastructure industries that utilize ICS SCADA systems and IoT devices pose appealing soft targets for threat actors as a significant percentage of the estate has vulnerabilities. Also, they tend to fall out of the purview of the IT organization’s responsibility and its cyber security program.

    Oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation and other operations technology (OT) intensive businesses should be especially vigilant and actively secure their OT estate using zero trust strategies and leveraging next gen VPN technologies that are capable of protecting both IT and OT assets. A key strategy is cloud obfuscation where source and destination relationships and sensitive data flows are anonymized and privatized using a smart secure communications overlay that makes it virtually impossible for a bad actor to even detect and target such vulnerable devices in the first place.”

    Terry Olaes, Director of Sales Engineering, Skybox:

    “This is yet another reminder that critical infrastructure remains a top target for cybercriminals. Skybox Research Lab found that new vulnerabilities in operational technology (OT) products have risen 88% year over year. Too often, our researchers see organizations that only rely on conventional approaches to vulnerability management move to patch the highest severity vulnerabilities first based on the Common Vulnerability Scoring System (CVSS). Cybercriminals know this is how many companies handle their cybersecurity, so they’ve learned to take advantage of vulnerabilities seen as less critical to carry out their attacks. Additionally, in the case for OT, the mechanisms used to exploit these devices are less-sophisticated due to the design of these technologies to minimize friction and focus on HSE impact, above all. This enables bad actors to identify and weaponize new exploits more quickly, resulting in the drastic vulnerability count increase.

    [...]

    To stay ahead of cybercriminals, companies must address vulnerability exposure risks before hackers attack them. That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape. Organizations should ensure they have solutions capable of quantifying the business impact of cyber risks into economic impact. This will help them identify and prioritize the most critical threats based on the size of the financial impact, among other risk analyses such as exposure-based risk scores. They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them and how urgent it is to remediate.”

    James McQuiggan, Security Awareness Advocate, KnowBe4:

    “Regarding OT (operational technology) systems used in manufacturing, power generation, or industrial control systems (ICS), those systems must be protected behind firewalls, with strong access controls and, if possible, additional segmentation to reduce the risk of compromise and exploitation.

    With the recent vulnerabilities released and the high impact of remote code execution, compromised credentials, and authentication bypass, a cybercriminal can quickly gain access into an ICS environment to do nefarious and dangerous actions. Conducting a Shodan search (the Google of internet-connected devices), it’s been discovered that almost 6000 vulnerable devices related to the Icefall report are exposed to the internet with little to no protection.

    Organizations want to isolate devices they cannot patch or update and consider moving them behind additional firewalls. Consider using jump systems for remote access or having any machine data sent to somewhere else internally in their organization for data collection.”

    Reply
  34. Tomi Engdahl says:

    Cybersecurity Suite Protects Edge AI Models
    June 1, 2022
    With the expansion of AI into the cloud, there’s an increasing need for robust security features and functions to protect AI models at the edge.
    https://www.mwrf.com/technologies/systems/video/21243089/electronic-design-cybersecurity-suite-protects-edge-ai-models?utm_source=RF+MWRF+Today&utm_medium=email&utm_campaign=CPS220617081&o_eid=7211D2691390C9R&rdx.ident%5Bpull%5D=omeda%7C7211D2691390C9R&oly_enc_id=7211D2691390C9R

    Reply
  35. Tomi Engdahl says:

    CISA warns over software flaws in industrial control systems https://www.zdnet.com/article/cisa-warns-over-software-flaws-in-industrial-control-systems/
    The US Cybersecurity and Infrastructure Agency (CISA) has warned organizations to check recently disclosed vulnerabilities affecting operational technology (OT) devices that should but aren’t always isolated from the internet.

    Reply
  36. Tomi Engdahl says:

    Codesys Patches 11 Flaws Likely Affecting Controllers From Several ICS Vendors
    https://www.securityweek.com/codesys-patches-11-flaws-likely-affecting-controllers-several-ics-vendors

    Codesys this week announced patches for nearly a dozen vulnerabilities discovered in the company’s products by researchers at Chinese cybersecurity firm NSFocus.

    The industrial automation software solutions provided by the German company are used by some of the world’s largest industrial control system (ICS) manufacturers, and vulnerabilities affecting Codesys products can impact a large number of devices.

    The NSFocus researchers have identified many vulnerabilities in Codesys V2 products in the past year, but some of them were combined into a single CVE identifier, resulting in a total of 13 flaws being assigned CVEs.

    Gao Jian, one of the NSFocus researchers involved in this project, told SecurityWeek that two of the CVEs were resolved by Codesys in October 2021 and 11 were patched with updates announced on June 23, 2022.

    A post describing some of these vulnerabilities, as well as the research process, was published on Thursday on GitHub.

    https://github.com/ic3sw0rd/Codesys_V2_Vulnerability

    Reply
  37. Tomi Engdahl says:

    Commonly existing PLC Supply Chain Threats: Multiple critical vulnerabilities in Codesys Runtime
    https://github.com/ic3sw0rd/Codesys_V2_Vulnerability

    Reply
  38. Tomi Engdahl says:

    Microsoft Exchange bug abused to hack building automation systems https://www.bleepingcomputer.com/news/security/microsoft-exchange-bug-abused-to-hack-building-automation-systems/
    A Chinese-speaking threat actor has hacked into the building automation systems (used to control HVAC, fire, and security
    functions) of several Asian organizations to backdoor their networks and gain access to more secured areas in their networks. Lisäksi:
    https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/

    Reply
  39. Tomi Engdahl says:

    Critical Security Flaws Identified in CODESYS ICS Automation Software https://thehackernews.com/2022/06/critical-security-flaws-identified-in.html
    CODESYS has released patches to address as many as 11 security flaws that, if successfully exploited, could result in information disclosure and a denial-of-service (DoS) condition, among others.

    Reply
  40. Tomi Engdahl says:

    Advisory: FESTO: CECC-X-M1 Command Injection Vulnerabilities https://onekey.com/blog/advisory-festo-cecc-x-m1-command-injection-vulnerabilities/
    To evaluate and strengthen the automated vulnerability detection capabilities of ONEKEY, we frequently download and analyze firmware images from a variety of vendors. This is how we stumbled upon the
    CECC-X-M1 product line, an industrial controller manufactured by FESTO. We identified multiple issues affecting these devices leading to unauthenticated remote command execution. These issues are detailed below.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*