https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,735 Comments
Tomi Engdahl says:
Turvallisuus tuli Bluetoothin ytimeen
https://etn.fi/index.php/tekniset-artikkelit/14031-turvallisuus-tuli-bluetoothin-ytimeen
Teollisuussovelluksissa on selvä kysyntä langattomille yhteyksille. Ratkaisuna ovat langattomiin sovelluksiin tarkoitetut tiheästi integroidut mikro-ohjaimet, joissa yhdistetään RF-radio ja ohjelmistopohjainen digitaalinen ohjaus. Vaikka tällaiset mikro-ohjaimet ovatkin yleistymässä markkinoilla, laitevalmistajien vaatimukset ovat samalla kasvaneet. He haluavat RF:n tarjoamien yhteysominaisuuksien lisäksi entistä parempia turvaominaisuuksia kaikilla tasoilla.
Jatkuva taistelu uusia kyberuhkia vastaan tarkoittaa, että kaikkien käytettävien alustojen osalta on mietittävä, miten niiden turvallisuus taataan tulevaisuudessakin. Tähän tarvitaan vankkoja alustoja, jotka tukevat turvallisia langattomasti tapahtuvia laiteohjelmiston päivityksiä (FOTA). Täysin integroidun RF-radion hyödyntäminen helpottaa turvallisuuden ylläpitoa, mutta se myös edustaa ilmeistä uutta hyökkäyspintaa tai -vektoria hakkereille.
Järjestelmätason turva mikro-ohjaimissa
Koska turvallisuus on perustavaa laatua oleva tarve, se on sisällytetty osaksi jopa laitetasoa. Toisin sanoen se on tehty osaksi itse prosessoria ja varustamalla laite lisätyillä turvaominaisuuksilla, jotka ovat hyökkääjien ulottumattomissa. Tällaisia ovat salausmenetelmien käyttö tunnistamisessa ja valtuuttamisessa sekä turvallinen salauksessa käytettävien avainten luominen, jakaminen ja tallentaminen.
Tällä tavoin toteutettuna on mahdollistaa laajentaa jo tarjolla olevien Bluetooth LE -protokollan turvaominaisuuksia esimerkiksi lisäämällä turvakäynnistys luottamuksen juuren (Root of Trust) avulla. Arm-ekosysteemissä tämä voidaan toteuttaa valitsemalla toteutukseen Arm TrustZone- ja CryptoCell-312 -turva-IP:t. Tällä tavoin voidaan lisätä turvaominaisuudet Arm Cortex -toteutuksiin, jotka perustuvat Armv8-M-käskykantaan. CryptoCell on suunniteltu toteuttamaan monia tärkeitä ominaisuuksia kuten todellisen satunnaislukugeneroinnin (TRNG), koodin salauksen ja datan valtuutuksen. Se tukee myös toimenpiteen palautuksen suojausta ja elinkaaren hallintaa, minkä on yleinen heikkous muissa IoT-laitteissa. Se tuottaa valtuutetun toimintaympäristön ja käyttää salausta sekä ohjelmistopäivitysten validointia.
Arm TrustZone suunniteltiin suojaamaan laitteistoa tukemalla fyysisesti eristettyjä alueita suunnittelussa, minkä ansiosta ohjelmisto- ja laitteistotason suoritukset tapahtuvat erillään. Yhdessä nämä teknologiat lisäävät turvallisuustasoa koko ratkaisun osalta.
Yhdistettynä Bluetooth LE:een näitä ominaisuuksia käyttäen voidaan parantaa verkkopalvelun turvallisuutta hyödyntämällä Bluetooth LE:n sijainninmäärityksen tarjoamia mahdollisuuksia. Teollisuuden IoT-sovelluksiin integroidaan enenevässä määrin kartoitus ja paikallistaminen, jolloin pystytään tarjoamaan lisäpalveluita kuten tavaroiden jäljitystä ja sisätiloissa tapahtuvaa navigointia. Paikallisten laitteiden turvallinen autentikointi niiden yrittäessä liittyä yksityiseen verkkoon on yksi esimerkki siitä, miten nämä toiminnot toimivat yhdessä.
Tomi Engdahl says:
Control System Defense: Know the Opponent – Alert (AA22-265A) https://www.cisa.gov/uscert/ncas/alerts/aa22-265a
This joint Cybersecurity Advisory, which builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure, describes TTPs that malicious actors use to compromise OT/ICS assets.
It also recommends mitigations that owners and operators can use to defend their systems.
Malicious actors’ game plan for control system intrusions
Cyber actors typically follow these steps to plan and execute compromises against critical infrastructure control systems:
Establish intended effect and select a target.
Collect intelligence about the target system.
Develop techniques and tools to navigate and manipulate the system.
Gain initial access to the system.
Execute techniques and tools to create the intended effect.
Leveraging specific expertise and network knowledge, malicious actors such as nation-state actors can conduct these steps in a coordinated manner, sometimes concurrently and repeatedly, as illustrated by real world cyber activity. [5] [10]
Tomi Engdahl says:
Hacktivist Attacks Show Ease of Hacking Industrial Control Systems
https://www.securityweek.com/hacktivist-attacks-show-ease-hacking-industrial-control-systems
Hacktivists might not know a lot about industrial control systems (ICS), but they’re well aware of the potential implications of these devices getting compromised. That is why some groups have been targeting these systems — which are often unprotected and easy to hack — to draw attention to their cause.
Industrial cybersecurity firm Otorio reported in early September that a pro-Palestine hacktivist group named GhostSec had claimed that it ‘hacked’ 55 Berghof programmable logic controllers (PLCs) located in Israel. The hackers published a video showing that they had access to the PLC’s administration panel and an associated human-machine interface (HMI). They also posted a screenshot showing that a PLC had been stopped, which, for someone who doesn’t know much about how industrial processes work, might indicate that significant disruption may have been caused.
Roughly one week later, Otorio saw the same hacktivists taking credit for another attack on Israeli ICS, this time claiming to be able to control parameters related to water safety.
In the case of the incident involving Berghof PLCs, the security firm’s researchers showed that it’s easy to identify the internet-exposed PLCs using the Shodan search engine and found that many can likely be accessed using default or common credentials. The researchers determined that while the compromised PLC admin panel does provide full control over some functionality, it does not allow a user to directly control the industrial process.
“It is possible to affect the process to some extent, but the actual process configuration itself isn’t available solely from the admin panel,” Otorio explained.
The company has also analyzed GhostSec’s second round of claims and found that the water-related ICS was actually associated with a hotel’s pool.
Otorio researchers told SecurityWeek that the hacktivists apparently claimed to have breached a system that is more important than the HMI of a hotel pool — they likely thought the pH and chlorine parameters were associated with drinking water. The experts noted that without conducting their analysis, it would have been difficult to tell that the ICS is associated with a pool.
On the other hand, based on their observations, an attacker could not only monitor, but also modify those parameters, which could pose a health risk to individuals using the pool.
While believing that they had gained access to systems that could be used to control drinking water parameters, the hackers said they would not alter any settings to prevent causing harm to people in Israel as that would go against their mission and beliefs.
The U.S. government issued a warning to organizations about hacktivists being able to easily target industrial systems nearly a decade ago.
There have been several incidents apparently involving hacktivists and ICS over the past years. In 2020, an Iranian group accessed systems at a water facility in Israel.
Langer says hacktivists have moderate cyber sophistication, focusing on unprotected ICS or IoT devices that are exposed to the internet. They typically rely on open ports, publicly available tools, and they typically operate for short periods of time to achieve a specific goal.
“Sometimes they probably will choose their targets based on ease-to-compromise criteria and not necessarily by relevance to their goals. For example, searching on Shodan for some exposed devices from a specific vendor and trying hard-coded default credentials to establish presence on that device,” Langer explained.
“Most of the targets will probably be distributed networks or sites which heavily depend on remote access (for maintenance, vendor monitoring, etc), like water facilities, building management systems, industrial segments of municipal networks or SMB networks (like pools, traffic lights, restaurants),” he added.
What could hacktivists achieve when targeting ICS?
“Although hacktivist cyber activities may cause mainly localized disruption and other effects, as the current status of ICS cyber security stays relatively bad, exploiting frequent device misconfigurations, non-enforced 3rd party access and other basic security weaknesses by these hackers can also lead to major consequences jeopardizing public safety,” Langer said.
David Krivobokov, security researcher at Otorio, commented, “The fact that operational, ICS systems are connected directly to the internet without any proper security measures, really lowers the bar to these kinds of threats, which makes it more effective to exploit OT infrastructure in order to scare the public rather than defacing a website. Moreover, the potential damage for an attacker that is logged into one of these systems is no less than catastrophic in many cases. If their goal is to scare the public, they are doing exactly what I would do if I were them.”
One interesting aspect is pointed out by Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks.
“There may be cognitive dissonance and compartmentalization of activities that go on in organized hacktivist campaigns where individuals may think they are doing something small or negligible, but in reality, it turns out to have catastrophic impacts. This is heightened when it comes to altering physical processes and controls for the products, services, and resources we rely on to sustain day to day life,” Jablanski explained.
She noted that the hackers in the recent examples seen by Otorio are likely unfamiliar with OT.
“My concern is when individuals close that knowledge gap, how much more leverage will they have in these types of activities. As an industry we don’t know the exact threshold for the amount of available data and access that will lead to widespread exploitation of process control systems,” Jablanski said.
She added, “Despite the intent and consequences of targeting ICS, many processes have contingencies and have failover methods in place to prevent worst case scenarios from happening. I do think the capability to disrupt and degrade the process control system poses a significant societal risk. It really is a matter of when, not if, more ICS incidents occur.”
Thomas Winston, director of intelligence content at Dragos, said hacktivist attacks on ICS are often small in scope — they can cause temporary loss of view and potentially loss of control. However, even such a temporary or limited incident could present serious challenges to, for instance, water organizations, and impact public confidence on the safety of the water.
On the other hand, Winston noted, “There are always exceptions to everything but to achieve extensive long-term disruption to the steady state operations of the plant will often require ICS/OT knowledge and access to non-windows ICS/OT devices.”
Winston pointed out that disruptive attacks on ICS require significant resources, including in terms of money, research and personnel. However, he said it’s common to see adversaries targeting enterprise IT networks and accidentally discovering a connected or poorly segmented OT network.
Ron Fabela, CTO & co-founder at SynSaber, said there is an increasing trend of hacktivists, cybercriminals and vendor researchers targeting ICS. One recent example involves the Cl0p ransomware gang targeting the South Staffordshire water company in the UK, and claiming to gain access to SCADA systems.
“Interested parties will often use tools such as Shodan to ‘discover’ ICS screens on the internet. These screenshots are posted online in order to gain notoriety and perhaps shame the target organization, but rarely are any impacts executed or announced,” Fabela said. “Now even vendor research teams are making overblown claims about vulnerabilities found within ICS devices or software in order to increase traffic and attention, but stop short of proving the viability of such exploitation in the real world.”
Fabela added, “What these examples share is a lack of executing the final step in an ICS hack: acting on objectives to disrupt the process. Most cases of ‘ICS’ security events are not actually direct attacks on the control systems themselves. Whether it’s a group that ransoms the IT network of a control system organization, someone on social media posting HMI screens for fun, or security vendor marketing gone too far, universally, no one wants to be responsible for the impact of actual disruption of operations.
“Perhaps as a result of this ‘red line’ that few but nation-states are willing to cross, claims tend to be overblown with ridiculous ‘what if’ statements about impact that never happen. While it’s nearly impossible to determine an adversary’s exact intention, we in the community hope that an increased interest in industrial control system security continues to stop short of process disruption.”
What should organizations do?
“These attacks can be easily mitigated by securing internet access, hardening authentication mechanisms, performing basic ICS security monitoring by a chosen MSSP, enforcing basic cyber security hygiene, etc,” Langer said.
“Enterprises should prepare themselves for that and more substantial threats by performing regular cyber risk assessment not just in IT networks but also through OT segments with consideration to actual business and environmental importance,” he added.
Tomi Engdahl says:
Security in the billions: Toward a multinational strategy to better secure the IoT ecosystem https://www.atlanticcouncil.org/in-depth-research-reports/report/security-in-the-billions/
This report offers a multinational strategy to enhance the security of the IoT ecosystem. It provides a framework for a clearer understanding of the IoT security landscape and its needsone that focuses on the entire IoT product lifecycle, looks to reduce fragmentation between policy approaches, and seeks to better situate technical and process guidance into cybersecurity policy.
Tomi Engdahl says:
GuidePoint Security Launches ICS/OT Security Services
https://www.securityweek.com/guidepoint-security-launches-icsot-security-services
Virginia-based cybersecurity consulting services company GuidePoint Security has announced the launch of new offerings focusing on industrial control systems (ICS) and other operational technology (OT).
The new ICS security services include Security Program Review (SPR), Security Architecture Review (SAR), and penetration testing services.
The SPR service is designed to help organizations assess the maturity of their security program and enhance it. The security program is evaluated based on a framework picked by the customer. This includes the NIST Cybersecurity Framework, NIST 800 82, CIS Controls, ISO/IEC 62443, ISO 27001, C2M2, FERC/NERC-CIP, CISA TSS and ITU CIIP.
The SAR service assesses the customer’s security capabilities to ensure compliance. It also helps them enhance their existing security solutions.
https://www.guidepointsecurity.com/resources/ics-security-services/
Tomi Engdahl says:
Hacktivist Attacks Show Ease of Hacking Industrial Control Systems
https://www.securityweek.com/hacktivist-attacks-show-ease-hacking-industrial-control-systems
Hacktivists might not know a lot about industrial control systems (ICS), but they’re well aware of the potential implications of these devices getting compromised. That is why some groups have been targeting these systems — which are often unprotected and easy to hack — to draw attention to their cause.
Industrial cybersecurity firm Otorio reported in early September that a pro-Palestine hacktivist group named GhostSec had claimed that it ‘hacked’ 55 Berghof programmable logic controllers (PLCs) located in Israel. The hackers published a video showing that they had access to the PLC’s administration panel and an associated human-machine interface (HMI). They also posted a screenshot showing that a PLC had been stopped, which, for someone who doesn’t know much about how industrial processes work, might indicate that significant disruption may have been caused.
Roughly one week later, Otorio saw the same hacktivists taking credit for another attack on Israeli ICS, this time claiming to be able to control parameters related to water safety.
In the case of the incident involving Berghof PLCs, the security firm’s researchers showed that it’s easy to identify the internet-exposed PLCs using the Shodan search engine and found that many can likely be accessed using default or common credentials. The researchers determined that while the compromised PLC admin panel does provide full control over some functionality, it does not allow a user to directly control the industrial process.
“It is possible to affect the process to some extent, but the actual process configuration itself isn’t available solely from the admin panel,” Otorio explained.
The company has also analyzed GhostSec’s second round of claims and found that the water-related ICS was actually associated with a hotel’s pool.
Tomi Engdahl says:
https://www.techat.fi/tietoturvallinen-elektroniikka-osa-2/
Tomi Engdahl says:
Critical Vulnerabilities Expose Parking Management System to Hacker Attacks
https://www.securityweek.com/critical-vulnerabilities-expose-parking-management-system-hacker-attacks
Nearly a dozen vulnerabilities have been found in a car parking management system made by Italian company Carlo Gavazzi, which makes electronic control components for building and industrial automation.
The flaws were discovered by researchers at industrial cybersecurity firm Claroty in Carlo Gavazzi’s CPY Car Park Server and UWP 3.0 monitoring gateway and controller products. The vendor released patches for the impacted products earlier this year.
Carlo Gavazzi parking management product affected by critical vulnerabilitiesThe Germany-based CERT@VDE, which coordinates the disclosure of vulnerabilities impacting the industrial control system (ICS) and operational technology (OT) products of European vendors, has published an advisory describing the Carlo Gavazzi issues. CERT@VDE’s advisory describes 11 vulnerabilities, and the agency warns that an attacker could exploit them to “get full access to the affected devices”.
Vera Mens, the Claroty security researcher credited by CERT@VDE for reporting the vulnerabilities, told SecurityWeek that the impacted UWP product is a web-based application designed for remotely managing building automation, energy management, and car park guidance systems, which provide drivers with information about parking spot availability within parking facilities.
“The UWP monitoring gateway is a multi-purpose device that is capable of running a variety of monitoring servers, each intended for a different purpose,” Mens explained. “For example, the CPY Car Park Server is a function of the UWP 3.0 device dedicated to monitor and control other devices in a parking lot that keep track of available parking spots. In this example, there are sensors in each parking spot that detect whether a car is there. The sensors report to the CPY Car Park Server which aggregates the data, provides analytics (e.g. capacity over time), and orchestrates the entire operation.”
These products have been found to be affected by critical vulnerabilities related to hardcoded credentials, SQL injection, missing authentication, improper input validation, and path traversals, as well as several high-severity issues. These security holes can be exploited to bypass authentication, obtain information, and execute commands, allowing an attacker to take full control of the targeted system.
Fortunately, Mens said Claroty is not aware of any UWP devices exposed on the internet, which means an attacker would have to gain access to the targeted network to exploit the vulnerabilities.
The researcher said the vendor quickly fixed all the vulnerabilities. According to CERT@VDE, UWP3.0 version 8.5.0.3 and newer and CPY Car Park Server version 2.8.3 and newer address the flaws. The cybersecurity agency has also shared some general recommendations for preventing these types of attacks.
Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0
https://cert.vde.com/de/advisories/VDE-2022-029/
Impact
An attacker can get full access to the affected devices. See the vulnerability descriptions for details.
Solution
General recommendations
Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
Use firewalls to protect and separate the control system network from other networks
Use VPN (Virtual Private Networks) tunnels if remote access is required
Activate and apply user management and password features
Use encrypted communication links
Limit the access to both set-up and control system by physical means, operating system features, etc.
Protect the set-up and control system by using up to date virus detecting solutions
Remediation
Please update to software/firmware versions as described
Tomi Engdahl says:
TSA Pipeline Security Directive: What’s New and Recommendations
https://www.brighttalk.com/webcast/19621/553460?player-preauth=W5njiTgTjC6hqzK7ysp54ROOEtRpvpiUdAm9RyoTZJU%3D&utm_source=brighttalk-promoted&utm_medium=email&utm_term=Audience456824&utm_campaign=AUD-13464&utm_content=2022-10-9
To combat the increasing number of cyber attacks targeted at critical infrastructure, the Department of Homeland Security’s Transportation Security Administration (TSA) has issued three security directives in 2021-22 to increase security posture of owners and operators of gas and liquid pipelines in the USA. TSA’s third directive (Security Directive Pipeline-2021-02C) is effective as of July 27, 2022 and supersedes TSA’s second Pipeline Security Directive published in July 2021.
The reissued security directive takes a performance-based approach to enhancing security, allowing operators to leverage new technologies and be more adaptive to changing environments. It’s a misconception that it has looser regulations. Rather, TSA is providing more flexibility to implement the requirements and achieve the ultimate objective of cyber hardening the critical Operational Technology (OT) and IT systems.
Tomi Engdahl says:
https://hackaday.com/2022/10/07/this-week-in-security-php-attack-defused-scoreboard-manipulation-and-tillitis/
Scorekeeper’s Advantage
[Maxwell Dulin] AKA [Strikeout] was watching a high-school basketball game, and suddenly noticed the wireless scoreboard controller. What if he could change the score? How hard could it be? You probably know how this goes. He’d been nerd-sniped. He spent a few months on this one, even getting his ham license in the process. The conclusion? More challenging than you might think.
Part one of this hack starts with reading the documentation on the radio chips, then doing some real captures and analyzing the data. About that data. One small change in what was sent resulted in a huge change in the data in-the-air. To the tune of 128 bits changing at a time. This simple little scoreboard system was encrypted! AES-128 encryption protected the system from casual tampering. But our hero isn’t just a casual tamperer.
https://maxwelldulin.com/BlogPost/Scoreboard-Hacking-Signal-Analysis-Part-1
https://maxwelldulin.com/BlogPost/Scoreboard-Hacking-Part-2
https://maxwelldulin.com/BlogPost/Scoreboard-Hacking-Part-3
Tomi Engdahl says:
Automotive Security Threats Are More Critical Than Ever
https://www.securityweek.com/automotive-security-threats-are-more-critical-ever
We’ve all marveled at the latest innovations from Tesla, the skill of Google’s self-driving cars, or, at the very least, enjoyed playing a podcast on our phone through our car’s speakers.
The automotive industry continues to innovate, bringing connectivity to vehicles in new ways from the cockpit to the engine. These new tools change the way people drive and view their cars. An automobile is no longer just for transportation from point A to point B, but cars are rolling data centers that transmit a wealth of actionable intelligence to the networks and systems around them. However, that same information is also a valuable commodity to hackers – who are looking to steal it at any cost.
According to Statista, it is projected that by 2025, there will be over 400 million connected cars in operation, up from some 237 million in 2021. That growth brings risk, and so it’s particularly important that we have the ability to secure connected cars from cybersecurity threats.
Tomi Engdahl says:
Real penetration testing
https://youtu.be/CsQ2VWEfduM
Tomi Engdahl says:
The Cryptography Handbook
May 3, 2021
This series, which is designed to be a quick study guide for product development engineers, takes an engineering rather than theoretical approach.
https://www.electronicdesign.com/technologies/embedded-revolution/whitepaper/21127823/maxim-integrated-the-cryptography-handbook
Designed to be a study guide for a product development engineer, this series takes an engineering rather than theoretical approach. We hope to give the busy engineer a quick understanding of the basic concepts of cryptography and a relatively fast way to integrate security in his/her design.
Cryptography: Why Do We Need It? (PDF download)
Cryptographic Fundamentals (PDF download)
Cryptographic Algorithms (PDF download)
The Physically Unclonable Function Delivers Advanced Protection (PDF Download)
Cryptographic Implementations: Hardware vs. Software
Time to Think About the How and Where of Cryptography
Easy Cryptography with Secure Authenticators and Coprocessors
Tomi Engdahl says:
3 tips towards developing cybersecure products
https://www.etteplan.com/stories/3-tips-towards-developing-cybersecure-products?utm_campaign=newsletter-8-2022&utm_content=newsletter&utm_medium=email&utm_source=apsis-anp-3&pe_data=D43445A477046455B45724541514B71%7C31645504
Tomi Engdahl says:
Why asset owners should take cyber security into account in their safety assessment
https://www.etteplan.com/stories/why-asset-owners-should-take-cyber-security-account-their-safety-assessment?utm_campaign=newsletter-8-2022&utm_content=newsletter&utm_medium=email&utm_source=apsis-anp-3&pe_data=D43445A477046455B45724541514B71%7C31645504
Tomi Engdahl says:
How to achieve security in connected devices – visualizing the path
https://www.etteplan.com/stories/how-achieve-security-connected-devices-visualizing-path?utm_campaign=newsletter-8-2022&utm_content=newsletter&utm_medium=email&utm_source=apsis-anp-3&pe_data=D43445A477046455B45724541514B71%7C31645504
Tomi Engdahl says:
Hacker’s Guide to UART Root Shells
https://www.youtube.com/watch?v=01mw0oTHwxg
The UART Protocol and Interface is crucial for hacking IoT devices. We explain how to quickly identify a UART interface and connect to it to get a root shell, as well as a trick on how to re-enable a UART connector that has been disabled by the manufacturer.
00:00 Intro
01:00 What is UART?
04:05 Identifying UART
07:56 Connecting to UART
08:52 The UART Protocol
14:42 Re-enabling broken UART
Tomi Engdahl says:
#04 – How To Get The Firmware – Hardware Hacking Tutorial
https://www.youtube.com/watch?v=oY-MxtJLEos
If you are struggling to get the firmware out of your device, this is the video for you!
In this video I will explain the possible ways we can use to to get the firmware of our IoT device.
I will do a practical example, of one of these possible ways. I will connect the PC to the UART of our sample device, I will analyze the boot log, I will access the command line interface of the boot loader, and I will dump the firmware, exploiting the dump command available in the boot loader. I will use a couple of scripts, do dump the entire EEPROM in an hexadecimal ASCII text file, and, then, to convert back this file in binary form to get the exact image of the EEPROM.
#05 – How To Get The Root File System – Hardware Hacking Tutorial
https://www.youtube.com/watch?v=-AYmTMILsM8
If you have downloaded the firmware file for your device from the supplier’s website or if you have dumped the EEPROM from your device and you want to extract the root file system and other information, this is the video for you!
In this episode I will talk about the available options to understand where the root file system is located in the firmware image, and the tools to use to extract it with the purpose to analyse it.
In this episode we will use 3 different types of firmware file:
- An encrypted firmware update file for a digital camera, downloaded from the supplier’s website. I will not succeed to extract the root file system, but we will learn something useful anyway.
- Another file is a firmware upgrade for home router, downloaded from the supplier’s website; we will successfully extract the file system, with some minor issues.
- The last file is an EEPROM dump that we dumped from the sample Gemtek router in the previous episode.
- We will do everything on our Linux box using some simple tools:
– The “file” command, that gives very basic information about any type of file.
– The “strings” command, that prints embedded strings in a binary file.
– The “hexdump” command, that prints the hex dump of a file, including the ASCII equivalent of each byte.
– The “binwalk” software, it is able to scan a binary file searching signatures of many different file system images, of compressed data segments, of digital certificates and of many other type of information embedded on a single binary file. It is also able to show the running entropy of a file allowing us to understand if we have an encrypted or compressed segment inside the binary file.
– The “dd” command, it is able to dissect a file, easily extracting part of it, or reassembling a file putting together different parts.
Tomi Engdahl says:
How We Hacked a TP-Link Router and Took Home $55,000 in Pwn2Own
https://www.youtube.com/watch?v=zjafMP7EgEA
In this video we will show you how we found and exploited vulnerabilities in the TP-Link Archer AC1750 to win $5,000 in Pwn2Own Tokyo 2019.
We made a total of $55,000 hacking routers in this competition!
00:00 Intro
01:48 Finding debug interface
04:35 Finding the vulnerability
06:23 Vulnerability details
15:20 Exploit demo
16:33 Outro
For in-depth details, refer to our advisories:
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md
https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/minesweeper.md
The two advisories complement each other. The first one describes the process we used to pwn this router in 2019, and the second one how we found in 2020 that TP-Link improperly patched the command injection. We used that knowledge to improve the exploit so that it works on old and newer “patched” firmwares.
The command injection described in this video is the improved one.
The vulnerabilities exploited in this video are:
- CVE-2020-10882
- CVE-2020-10883
- CVE-2020-10884
- CVE-2020-28347
All vulnerabilities have been fixed by TP-Link in current firmware versions.
Tomi Engdahl says:
Hacker’s Guide to UART Root Shells
https://www.youtube.com/watch?v=01mw0oTHwxg
Tomi Engdahl says:
Fun With HARDWARE HACKING!!! – UART ROOT SHELLS and Finding SECRETS!
https://www.youtube.com/watch?v=Ddgdydmzqkc
#02 – How To Find The UART Interface – Hardware Hacking Tutorial
https://www.youtube.com/watch?v=6_Q663YkyXE
Tomi Engdahl says:
Make your neighbor think their house is haunted by blinking their Ikea smart bulbs
Radio comms vulnerabilities detailed
https://www.theregister.com/2022/10/08/buggy_ikea_smart_bulbs/
Tomi Engdahl says:
Concerned about robot vacuum privacy? Read this article to find out what you need to know.
https://cleanup.expert/info/concerned-about-robot-vacuum-privacy-read-this-article-to-find-out-what-you-need-to-know/
Robot vacs are fantastic labor-saving devices, helping to lighten the load of exhausted homeowners and apartment dwellers everywhere. For example, let’s say you’re watching your kid play baseball at your local park.
Millions of people worldwide love their internet-connected devices such as Fitbits, phones, and even fridges. However, some fear that hackers can access these gadgets and steal their sensitive information.
Robotic vacuum cleaners are no exception. They’re not only connected to the internet—they also have cameras and wander around your home.
Tomi Engdahl says:
‘Ask all the time: why do I need this?’ How to stop your vacuum from spying on you
https://www.theguardian.com/technology/2022/aug/16/ask-all-the-time-why-do-i-need-this-how-to-stop-your-vacuum-from-spying-on-you#amp_tf=L%C3%A4hde%3A%20%251%24s&aoh=16658344939388&referrer=https%3A%2F%2Fwww.google.com&share=https%3A%2F%2Fwww.theguardian.com%2Ftechnology%2F2022%2Faug%2F16%2Fask-all-the-time-why-do-i-need-this-how-to-stop-your-vacuum-from-spying-on-you
Even if you’re not gadget-obsessed, the odds are you’ve got at least one smart device at home. So how do you limit the internet of things from listening in?
Tomi Engdahl says:
The FBI Publishes Statement Unpatched and Outdated IoT Devices Increase Cyber Attack Opportunities https://blog.checkpoint.com/2022/10/14/the-fbi-publishes-statement-unpatched-and-outdated-iot-devices-increase-cyber-attack-opportunities/
The FBI recently issued an industry notification around unpatched and outdated devices, warning the public that cyber criminals are increasingly targeting internet-connected devices for the purpose ofexploiting their vulnerabilities. The FBI discovered multiple vulnerabilities, specifically in medical devices, through devices that run outdated software and devices lacking sufficient security features. According to FBI documentation, “these vulnerabilities negatively impact organization’s operational functions, overall safety, data confidentiality, and data integrity. In Medical, device vulnerabilities are inherent to the device itself, originating from device hardware design and device software management. Routine challenges include the use of standardized configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features.”1
Tomi Engdahl says:
Google Unveils KataOS ‘Verifiably-Secure’ Operating System for Embedded Devices
https://www.securityweek.com/google-unveils-kataos-verifiably-secure-operating-system-embedded-devices
Google last week unveiled a new project focused on building a secure embedded platform for machine learning (ML) applications.
The project’s goal is designing intelligent ambient ML systems that are secure and trustworthy.
The project is named Sparrow and it revolves around a new operating system named KataOS, for which several components have already been open sourced by Google.
“KataOS provides a verifiably-secure platform that protects the user’s privacy because it is logically impossible for applications to breach the kernel’s hardware security protections and the system components are verifiably secure,” Google explained.
The tech giant pointed out that KataOS is mostly developed in Rust, which makes it more secure because it eliminates buffer overflows and other classes of bugs.
Sparrow is the reference implementation for KataOS. It combines the new operating system, which provides a logically-secure kernel, with a secured hardware platform that provides a logically-secure root of trust leveraging the OpenTitan project on a RISC-V architecture.
“The KataOS components are based on an augmented version of seL4′s CAmkES framework. Critical system services are CAmkES components that are statically configured. Applications are developed using an AmbiML-focused SDK and dynamically loaded by the system services,” KataOS developers explained.
Google says its goal is to open source the entire Sparrow project
Announcing KataOS and Sparrow
https://opensource.googleblog.com/2022/10/announcing-kataos-and-sparrow.html
To begin collaborating with others, we’ve open sourced several components for our secure operating system, called KataOS, on GitHub, as well as partnered with Antmicro on their Renode simulator and related frameworks. As the foundation for this new operating system, we chose seL4 as the microkernel because it puts security front and center; it is mathematically proven secure, with guaranteed confidentiality, integrity, and availability. Through the seL4 CAmkES framework, we’re also able to provide statically-defined and analyzable system components. KataOS provides a verifiably-secure platform that protects the user’s privacy because it is logically impossible for applications to breach the kernel’s hardware security protections and the system components are verifiably secure. KataOS is also implemented almost entirely in Rust, which provides a strong starting point for software security, since it eliminates entire classes of bugs, such as off-by-one errors and buffer overflows.
The current GitHub release includes most of the KataOS core pieces, including the frameworks we use for Rust (such as the sel4-sys crate, which provides seL4 syscall APIs), an alternate rootserver written in Rust (needed for dynamic system-wide memory management), and the kernel modifications to seL4 that can reclaim the memory used by the rootserver. And we’ve collaborated with Antmicro to enable GDB debugging and simulation for our target hardware with Renode.
Tomi Engdahl says:
https://www.altechcorp.com/MachineDesign/Altech-Personif/Altech-E-Stops.pdf
Q: What is an e-stop and how is
it used?
A: E-stops, or emergency stop
switches, are used to ensure machine
as well as personnel safety. They are
used to provide a consistent and
predictable failsafe response on a wide
range of electrical machinery and must
stop the machine without creating
additional hazards. The devices can be
highly specialized for emergency
shutdown of equipment and meet
workplace and machine safety
standards established by international
and U.S. regulatory commissions.
Q: Is there a difference between
e-stops and regular stop switches?
A: E-stops provide what can be
considered foolproof equipment
shutdown, and always require a human
action for resetting. Often, the
switch requires an additional step—a
twist, pull, or key—in order to release
the electrical contacts prior to the
machine being in a position to be
restarted. As a general standard,
e-stops must be a red operator with a
yellow background.
These non-red operators do not qualify
as “Emergency Stops,” but can be
applied in a similar way to stop
applications. Black operators are used
as a Machine Stop, similar in function
to e-stops, but are simply a different
color. Typical application for these
devices is when the machine’s “OFF”
button is required to be manually reset
before restarting the machine. Blue
operators are an accepted designated
color for stopping water or sprinkler
systems, and yellow operators are an
accepted designated color for
shutting off gas lines. Different color
operators were designed for customers
with specific needs
Q: What standards must e-stops
adhere to in order to be consid
ered properly certified?
A: Always check with your supplier
to assure their devices are tested and
approved by appropriate institutions
relevant to your application. Some
important standards include:
IEC60947-5-1 and EN60947-5-5;
VDE0660; UL508; CSA: C22.2 No.
14-95; and NEMA Type 4X, 12. These
are some of the most used in the U.S.
while other compliance and rating
bodies also exist for other countries as
well.
Q: What types of applications are
required to have e-stops installed?
A: All industry segments mandate
e-stops for safe operation, including,
but not limited to industries involving
vehicles and transportation, medical
treatment and diagnostics, industrial
machinery, oil and gas, food and
beverage, water and waste water,
and instrumentation. Therefore,
designers will want to have a knowl-
edge of e-stop fundamentals, and
switch characteristics and capabilities,
as well as the international and U.S.
standards and compliance require-
ments that need to be met for their
application.
Q: How can I begin to select the
right e-stop for my application?
A: The first step is to determine
where the e-stop fits within your
machine control system and what
category of emergency shutdown is
needed according to the standard you
are adhering to.
Tomi Engdahl says:
CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware
https://www.securityweek.com/cisa-tells-organizations-patch-linux-kernel-vulnerability-exploited-malware
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a Linux kernel flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address it within three weeks.
The vulnerability is tracked as CVE-2021-3493 and it’s related to the OverlayFS file system implementation in the Linux kernel. It allows an unprivileged local user to gain root privileges, but it only appears to affect Ubuntu.
CVE-2021-3493 has been exploited in the wild by a stealthy Linux malware named Shikitega, which researchers at AT&T Alien Labs detailed in early September. Shikitega is designed to target endpoints and IoT devices running Linux, allowing the attacker to gain full control of the system. It has also been used to download a cryptocurrency miner onto the infected device.
As part of the malware’s infection chain, two Linux vulnerabilities are exploited for privilege escalation: CVE-2021-3493 and CVE-2021-4034.
CVE-2021-4034 is named PwnKit and it impacts Polkit’s Pkexec, a SUID-root program found in all Linux distributions. CISA warned about this vulnerability being exploited in attacks in June.
The news reports published when Shikitega’s existence came to light focused on the malware itself and did not highlight the fact that this appeared to be the first known instance of CVE-2021-3493 being exploited for malicious purposes.
Technical details and proof-of-concept (PoC) exploits for this vulnerability are publicly available.
https://scientyficworld.org/overlayfs-cve-2021-3493/#Let_the_Hack_begin
New ‘Shikitega’ Linux Malware Grabs Complete Control of Infected Systems
https://www.securityweek.com/new-shikitega-linux-malware-grabs-complete-control-infected-systems
Security researchers with AT&T Alien Labs are warning of a new piece of malware that can take full control of infected Linux systems, including Internet of Things (IoT) devices.
Dubbed Shikitega, the threat is delivered as part of a multi-stage infection chain, where each step is responsible for a part of the payload and fetches and executes the next module.
To ensure it can gain full control over an infected system, the malware downloads and executes Metasploit’s ‘Mettle’ meterpreter. It also attempts to exploit system vulnerabilities to escalate privileges and achieve persistence.
Shikitega hosts some of its command and control (C&C) servers on legitimate cloud services, uses a polymorphic encoder to evade detection, and deploys a cryptocurrency miner on the infected machines.
Tomi Engdahl says:
https://www.securityweek.com/new-shikitega-linux-malware-grabs-complete-control-infected-systems
Tomi Engdahl says:
https://etn.fi/index.php/72-ecf/14153-ecf22-miten-turvata-robottiauton-kriittiset-toiminnot
Tomi Engdahl says:
Engineering Workstations Used as Initial Access Vector in Many ICS/OT Attacks: Survey
https://www.securityweek.com/engineering-workstations-used-initial-access-vector-many-icsot-attacks-survey
While the risk to industrial control systems (ICS) and other operational technology (OT) environments continues to be high, organizations are increasingly confident in their ability to detect malicious activity, and only a small percentage of organizations admit suffering a breach, according to a survey conducted by the SANS Institute on behalf of industrial cybersecurity firm Nozomi Networks.
The 2022 OT/ICS Cybersecurity Report (PDF) is based on a survey of 332 individuals representing organizations of all sizes across every continent.
https://www.nozominetworks.com/downloads/US/SANS-Survey-2022-OT-ICS-Cybersecurity-Nozomi-Networks.pdf
Tomi Engdahl says:
Water sector in the US and Israel still unprepared to defeat cyber attacks https://securityaffairs.co/wordpress/138185/hacking/water-sector-us-israel-cyberattacks.html
Expert warns that the US and Israel are still unprepared to defeat a cyber attack against organizations in the water sector.
Tomi Engdahl says:
Nation-State Hacker Attacks on Critical Infrastructure Soar: Microsoft
https://www.securityweek.com/nation-state-hacker-attacks-critical-infrastructure-soar-microsoft
According to Microsoft’s 2022 Digital Defense Report, nation-state hacker attacks on critical infrastructure have soared, largely due to Russian cyber operations targeting Ukraine and its allies.
Between June 2020 and June 2021, 20% of all nation-state attacks observed by Microsoft were aimed at critical infrastructure. That percentage increased to 40% in the period between July 2021 and June 2022.
Tomi Engdahl says:
ABB Oil and Gas Flow Computer Hack Can Prevent Utilities From Billing Customers
https://www.securityweek.com/abb-oil-and-gas-flow-computer-hack-can-prevent-utilities-billing-customers
Oil and gas flow computers and remote controllers made by Swiss industrial technology firm ABB are affected by a serious vulnerability that could allow hackers to cause disruptions and prevent utilities from billing their customers, according to industrial cybersecurity firm Claroty.
Utilities rely on flow computers to calculate oil and gas flow rates and volume. These devices, which are often used in the electric power sector, play an important role in process safety, as well as billing.
Researchers at Claroty showed how an attacker with access to a targeted flow computer can bypass authentication using a brute-force attack, and then exploit a path traversal vulnerability to read the device’s shadow password file to obtain its root account password. The same vulnerability can be used to modify the SSH configuration file to enable password authentication and allow the attacker to access the device with root privileges.
Claroty reported its findings to ABB, which announced the release of firmware patches for affected products in July. The path traversal vulnerability is tracked as CVE-2022-0902 and it has been assigned a ‘high severity’ rating.
Claroty has published a blog post detailing its research, as well as a video showing how an attacker could hack a device.
An Oil and Gas Weak Spot: Flow Computers
https://claroty.com/team82/research/an-oil-and-gas-weak-spot-flow-computers
Tomi Engdahl says:
Aiphone Intercom System Vulnerability Allows Hackers to Open Doors
https://www.securityweek.com/aiphone-intercom-system-vulnerability-allows-hackers-open-doors
A vulnerability in Aiphone intercom products allows attackers to breach the entry system and gain access to the building that uses it.
Aiphone is one of the largest global manufacturers of intercom systems, including audio and video entry systems for residential and corporate buildings.
Last week, researchers with Norwegian application security firm Promon published information on a vulnerability identified in several Aiphone products that could allow an attacker to easily breach the entry system using an NFC tag.
The security bug is tracked as CVE-2022-40903 and is described as an information disclosure vulnerability.
The issue was identified in June 2021 and impacts Aiphone device series GT-DMB, GT-DMB-N, and GT-DMB-LVN running firmware versions prior to 3.00, and GT-DB-VN devices running firmware version 2.00 or earlier.
Promon says that the bug allows an attacker to “use a mobile device with NFC capability to run a brute-force attack on the entry system” in order to find the admin passcode”.
Essentially, the system allows an attacker with network access to try every possible four-digit code combination to discover the admin passcode, Promon said, responding to a SecurityWeek inquiry.
According to Promon, “the exploit requires a modification app (a custom Android NFC host-based emulation app that mimics the behavior of the official administrative tool).”
Once they know the administrator passcode, the attacker can use it to add a new NFC tag into the system (by injecting the device’s serial number), for access into the building.
Given that the vulnerable Aiphone products do not store access logs, an organization may be unaware of any unauthorized access, as there would be no evidence of it on the device.
“Unfortunately, there’s no way of knowing if a device has been targeted by this type of attack,” Promon said.
Tomi Engdahl says:
Risk Mitigation Strategies to Close the XIoT Security Gap
https://www.securityweek.com/risk-mitigation-strategies-close-xiot-security-gap
Understanding the vulnerability landscape of the XIoT to properly assess and mitigate risk is critically important to protect livelihoods and lives
After more than 20 years of connecting devices to the Internet, we’ve reached the point where our physical world is very dependent on its digital components. We now have direct connections to process control systems and smart sensors in industrial environments, medical imaging equipment and patient monitoring systems in healthcare organizations, and other devices used in smart grids and building management systems. Even our most basic needs like food and water depend on cyber-physical systems (CPS) and the connected devices that underpin them, referred to holistically as the Extended Internet of Things (XIoT). But many of these connected devices were not necessarily designed with security in mind. This is par for the course with technology innovation and will take years, if not decades, before a new generation of connected assets emerges with more natively integrated security processes and pathways.
Understanding the vulnerability landscape of the XIoT to properly assess and mitigate risk is critically important to protect livelihoods and lives. Recent key events have brought this into sharp focus:
● Industroyer2, a variant of the 2016 Industroyer malware, was deployed in a foiled attack against a Ukrainian electricity provider.
● A suite of attack tools called Incontroller (aka Pipedream) was discovered and found to have components purpose-built to target specific industrial equipment and disrupt service delivery.
● Dubbed OT:ICEFALL, 56 vulnerabilities were disclosed affecting devices from 10 XIoT vendors.
While IT security research communities and vendor vulnerability disclosure programs have been around for decades to accelerate identification of vulnerabilities and corrective action, only recently have we started bringing that expertise and insights to the XIoT. With a growing realization that industrial environments are rapidly changing and more exposed to attack as highly connected CPS become the norm, the level of effort to safeguard users is accelerating.
New research on XIoT vulnerabilities found that in the first half of 2022, vendor self-disclosures surpassed independent research outfits for the first time. While the number of vulnerabilities impacting smart devices, networking gear, and cameras almost doubled since the prior six months, vendors provided full or partial remediation for 91% of published vulnerabilities, including marked improvement in firmware remediations which presents challenges. This is significant as the vast majority of published XIoT vulnerabilities were either critical or high severity.
Recommendations
Mitigation strategies are often the only remediation option open to operational technology (OT) engineers and security teams in industrial environments, where many of the systems being connected to the Internet are legacy and availability or uptime is directly tied to the bottom line. The risk of disruption and downtime to implement a new security control, patch or system upgrade can be a non-starter. Even if you plan to patch during a maintenance window, the following foundational security measures should be put in place to mitigate risk moving forward:
● Network segmentation. Physical network segmentation between IT and OT networks reduces the chance of an attack on the IT network spreading to the OT network, but it can be a drawn out and costly endeavor. A cost-effective, efficient alternative is virtual segmentation within the OT environment to establish what “normal” communication looks like and create zone-specific policies, so security teams can be alerted to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment. This should include micro segmentation for XIoT devices, creating even smaller groups of assets with which these devices can communicate. In certain levels of the network, it isn’t possible to block traffic because doing so also stops the physical process and may create safety issues. However, this type of segmentation can improve network monitoring and access control and greatly accelerate response time, saving cost and reducing downtime in the event an attacker does establish a foothold.
● Secure remote access. Hand-in-hand with segmentation, secure remote access involves not only separating critical zones from the rest of the IT and OT networks, but also securing remote sessions through the addition of encryption, authentication, and authorization capabilities. Strict controls over users, devices, and sessions empowers organizations to identify connected devices, control access to devices and processes granularly, and be alerted to non-trusted communications and behavior across the network and terminate sessions if needed. Password vaulting and multi-factor authentication (MFA) provide additional layers of security controls to prevent password reuse and sharing among users.
● Cloud risk management. To gain process efficiencies, organizations are connecting XIoT devices and systems to the Internet and managing them from the cloud. However, vulnerabilities impacting cloud-managed OT devices and management consoles in the cloud often escape the attention of asset owners and security teams. Verify cloud support protocols of XIoT devices and use security mechanisms such as encryption and certificates to protect the exchange of data. Authentication and identity management mechanisms such as MFA, strong credentials, and granular user and role-based access control policies help prevent unauthorized access to devices and systems. Additionally, since cloud providers operate with a shared responsibility model, it is critically important to have clarity between the organization’s and its cloud providers’ responsibilities.
XIoT Vendors Show Progress on Discovering, Fixing Firmware Vulnerabilities
https://www.securityweek.com/xiot-vendors-show-progress-discovering-fixing-firmware-vulnerabilities
Tomi Engdahl says:
Automotive Safety and Security on the Road
Oct. 27, 2022
As automotive SoCs become more complex, it can be challenging for automotive hardware suppliers to address the safety and security aspects independently. Still, engineers must build AV systems that are secure enough to meet consumers’ needs.
https://www.electronicdesign.com/markets/automotive/article/21253593/rambus-automotive-safety-and-security-on-the-road?utm_source=EG+ED+Auto+Electronics&utm_medium=email&utm_campaign=CPS221103035&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R
What you’ll learn:
Environmental and safety requirements for vehicle hardware.
Threat vectors for autonomous vehicles.
Industry standards for vehicle security.
The last two articles addressed how sensor fusion is advancing the capabilities of autonomous vehicles (AVs), and how the electrification of vehicles has drastically changed how they’re designed and manufactured. But we haven’t yet touched on one very important aspect of this conversation—automotive safety and security.
The electronics, hardware, and semiconductors used to power modern vehicles and push them into the realm of L4/L5 autonomous and ADAS capabilities are incredibly complex. But unlike a telecom or data-center use case, vehicles have much harsher environments and much stricter safety requirements.
Tomi Engdahl says:
Reverse Engineering Reveals EV Charger Has A Sense Of Security
https://hackaday.com/2022/11/16/reverse-engineering-reveals-ev-charger-has-a-sense-of-security/
As more and more electric vehicles penetrate the market, there’s going to have to be a proportional rise in the number of charging stations that are built into parking garages, apartment complexes, and even private homes. And the more that happens, the more chargers we’re going to start seeing where security is at best an afterthought in their design.
But as this EV charger teardown and reverse engineering shows, it doesn’t necessarily have to be that way. The charger is a Zaptec Pro station that can do up to 22 kW, and the analysis was done by [Harrison Sand] and [Andreas Claesson]. These are just the kinds of chargers that will likely be widely installed over the next decade, and there’s surprisingly little to them. [Harrison] and [Andreas] found a pair of PCBs, one for the power electronics and one for the control circuits. The latter supports a number of connectivity options, like 4G, WiFi, and Bluetooth, plus some RFID and powerline communications. There are two microcontrollers, a PIC and an ARM Cortex-A7.
Reverse engineering an EV charger
Published date:11.11.2022
https://www.mnemonic.io/resources/blog/reverse-engineering-an-ev-charger/
We decided to look into one of the most prevalent chargers on Norwegian roads
This blog post walks through our efforts reverse engineering the Zaptec Pro charger, an electric vehicle charger found in many parking lots and apartment buildings around Norway.
The post shows how we went about testing the device, including some of our trials and errors during the process. By analyzing the device’s firmware, and compiling a custom bootloader, we were able to root the device and dig into how it works.
Although we found that security appears to have been considered at multiple steps along the way in developing the Zaptec Pro charger, the blog post also presents some potential improvement areas.
Tomi Engdahl says:
Onko älykotisi turvallinen?
https://www.tivi.fi/uutiset/tv/538836ba-b7d3-4f48-8c12-2a02d383340f
Regulaatiolla voitaisiin pyrkiä määräämään, että kun älylaitteita otetaan käyttöön, hallintasovelluksen on ohjattava käyttäjää asettamaan niihin salasana. Tämä voisi usein hoitua automaattisestikin. Oletusarvon tulisi olla, että uudet laitteet suojataan aina. Käyttäjän pitäisi sitten erikseen poistaa salasana käytöstä, jos todella niin haluaa.
Tomi Engdahl says:
Shocker: EV charging infrastructure is seriously insecure https://www.theregister.com/2022/11/15/ev_charging_infrastructure_sandia/
“Can the grid be affected by electric vehicle charging equipment?
Absolutely,” said Sandia’s Brian Wright, a cybersecurity expert who worked on the project. “It is within the realm of what bad guys could and would do in the next 10 to 15 years. That’s why we need to get ahead of the curve in solving these issues,” Wright said.
Tomi Engdahl says:
Omron PLC Vulnerability Exploited by Sophisticated ICS Malware
https://www.securityweek.com/omron-plc-vulnerability-exploited-sophisticated-ics-malware
A critical vulnerability has not received the attention it deserves
A critical vulnerability affecting Omron products has been exploited by a sophisticated piece of malware designed to target industrial control systems (ICS), but it has not received the attention it deserves.
On November 10, the US Cybersecurity and Infrastructure Security Agency (CISA) published two advisories describing three vulnerabilities affecting NJ and NX-series controllers and software made by Japanese electronics giant Omron.
One of the advisories describes CVE-2022-33971, a high-severity flaw that can allow an attacker who can access the targeted Omron programmable logic controller (PLC) to cause a denial-of-service (DoS) condition or execute malicious programs.
Omron PLC vulnerability exploited by ICS malwareThe second advisory describes CVE-2022-34151, a critical hardcoded credentials vulnerability that can be used to access Omron PLCs, and CVE-2022-33208, a high-severity issue that can be used to obtain sensitive information that could allow hackers to bypass authentication and access the controller.
ICS Advisory (ICSA-22-314-07)
Omron NJ/NX-series Machine Automation Controllers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-314-07
ICS Advisory (ICSA-22-314-08 )
Omron NJ/NX-series Machine Automation Controllers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-314-08
Tomi Engdahl says:
Microsoft says attackers are hacking energy grids by exploiting decades-old software
https://techcrunch.com/2022/11/23/microsoft-boa-server-energy-grids/?tpcc=tcplusfacebook
Microsoft has warned that malicious hackers are exploiting a discontinued web server found in common Internet of Things (IoT) devices to target organizations in the energy sector.
In an analysis published on Tuesday, Microsoft researchers said they had discovered a vulnerable open-source component in the Boa web server, which is still widely used in a range of routers and security cameras, as well as popular software development kits (SDKs), despite the software’s retirement in 2005.
The technology giant identified the component while investigating a suspected Indian electric grid intrusion first detailed by Recorded Future in April, where Chinese state-sponsored attackers used IoT devices to gain a foothold on operational technology (OT) networks, used to monitor and control physical industrial systems.
Microsoft said it has identified one million internet-exposed Boa server components globally over the span of a one-week period, warning that the vulnerable component poses a “supply chain risk that may affect millions of organizations and devices.”
Microsoft said the most recent attack it observed was the compromise of Tata Power in October. This breach resulted in the Hive ransomware group publishing data stolen from the Indian energy giant,
Vulnerable SDK components lead to supply chain risks in IoT and OT environments
https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/
Tomi Engdahl says:
Vulnerable SDK components lead to supply chain risks in IoT and OT environments https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/
In this blog, we detail the risks affiliated with vulnerable components, highlighting the Boa web server, and how we suspect these components could be exploited to target critical industries. We also discuss the difficulties with identifying these components in device supply chains. To provide comprehensive protection against such attacks, we offer detection information to identify vulnerable components and guidance for organizations and network operators to improve their security posture.
Tomi Engdahl says:
Vulnerabilities in BMC Firmware Affect OT/IoT Device Security Part 1 https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-1/
Over the past year, Nozomi Networks Labs has conducted research on the security of Baseboard Management Controllers (BMCs), with a special focus on OT and IoT devices. In part one of this blog series, we reveal thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X. By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host. During our research, we uncovered other vulnerabilities whose patching is still in progress and thus cannot be disclosed as of yet; those will be covered in a follow-up blog post.
Tomi Engdahl says:
UK Government Departments Ordered To Remove Chinese Security Cameras https://www.forbes.com/sites/emmawoollacott/2022/11/25/uk-government-departments-ordered-to-remove-chinese-security-cameras/
The British government has ordered its departments to stop installing Chinese-made security cameras at ‘sensitive’ sites, citing security concerns. In a written statement, Chancellor of the Duchy of Lancaster Oliver Dowden has told MPs that, following a review, new controls were required. The concern hinges on the fact that companies such as Hikvision and Dahua – whose cameras are widely installed outside government offices – are required by Chinas National Intelligence Law
2017 to support national intelligence work.
Tomi Engdahl says:
UK Government Departments Ordered To Remove Chinese Security Cameras
https://www.forbes.com/sites/emmawoollacott/2022/11/25/uk-government-departments-ordered-to-remove-chinese-security-cameras/
The British government has ordered its departments to stop installing Chinese-made security cameras at ‘sensitive’ sites, citing security concerns. In a written statement, Chancellor of the Duchy of Lancaster Oliver Dowden has told MPs that, following a review, new controls were required. The concern hinges on the fact that companies such as Hikvision and Dahua – whose cameras are widely installed outside government offices – are required by Chinas National Intelligence Law
2017 to support national intelligence work.
U.S. Bans Chinese Telecom Equipment and Surveillance Cameras Over National Security Risk https://thehackernews.com/2022/11/us-bans-chinese-telecom-equipment-and.html
The U.S. Federal Communications Commission (FCC) formally announced it will no longer authorize electronic equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua, deeming them an “unacceptable” national security threat. All these Chinese telecom and video surveillance companies were previously included in the Covered List as of March 12, 2021. “The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” FCC Chairwoman Jessica Rosenworcel said in a Friday order.
Tomi Engdahl says:
Automakers Are Locking the Aftermarket Out of ECUs https://www.roadandtrack.com/news/a41926249/automakers-locking-aftermarket-tuners-out-of-ecus/
As our vehicles start to integrate more complex systems such as Advanced Driver Assist Systems and over-the-air updates, automakers are growing weary of what potential bad actors could gain access to by way of hacking. Whether those hacks come in an attempt to retrieve personal customer data, or to take control of certain aspects of these integrated vehicles, automakers want to leave no part of that equation unchecked. In order to prevent this from becoming a potential safety or legal issue, companies like Ford have moved to heavily encrypt their vehicles software. Krenz specifically noted that the new FNV architecture can detect when someone attempts to modify any of the vehicles coding, and that it can respond by shutting down an individual vehicle system or the vehicle entirely if that’s what is required.
Tomi Engdahl says:
EV Chargers Could Be A Serious Target For Hackers
https://hackaday.com/2022/11/28/ev-chargers-could-be-a-serious-target-for-hackers/
Electric vehicle chargers are becoming a part of regular life. They too are connected devices, and thus pose a security risk if not designed and maintained properly. As with so many other devices on the Internet of Things, the truth is anything but.
Given that EV chargers must be connected, securing them is important. However, research by Sandia National Laboratories indicates that thus far, EV charger companies haven’t done the best job at protecting their systems. Researchers investigated a variety of attack vectors and vulnerabilities and found many areas where existing systems were simply not up to scratch.
Tomi Engdahl says:
https://hackaday.com/2022/11/26/defeating-a-cryptoprocessor-with-laser-beams/
Tomi Engdahl says:
BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks
https://www.securityweek.com/bmc-firmware-vulnerabilities-expose-ot-iot-devices-remote-attacks
Researchers at industrial cybersecurity firm Nozomi Networks have discovered more than a dozen vulnerabilities in baseboard management controller (BMC) firmware.
BMC is a specialized processor that allows administrators to remotely control and monitor a device without having to access the operating system or applications running on it. The BMC can be used to reboot a device, install an operating system, update the firmware, monitor system parameters, and analyze logs.
Lanner BMC vulnerability Many BMC vulnerabilities have been found in the past years, with researchers warning that exploitation of these flaws can allow a remote attacker to compromise and even damage the targeted server.