https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,725 Comments
Tomi Engdahl says:
Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras
https://www.securityweek.com/vulnerability-allows-hackers-to-remotely-tamper-with-dahua-security-cameras/
A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.
Researchers have discovered a vulnerability that can be exploited by remote hackers to tamper with the timestamp of videos recorded by Dahua security cameras.
The flaw, tracked as CVE-2022-30564, was discovered last year by India-based CCTV and IoT cybersecurity company Redinent Innovations. Advisories describing the vulnerability were published on Wednesday by both Dahua and Redinent.
Redinent has assigned the vulnerability a ‘high’ severity rating, but Dahua has calculated a 5.3 CVSS score for it, which makes it ‘medium severity’.
According to the Chinese video surveillance equipment maker, the flaw impacts several types of widely used cameras and video recorders, including IPC, SD, NVR, and XVR products.
Australian Defense Department to Remove Chinese-Made Cameras
https://www.securityweek.com/australian-defense-department-to-remove-chinese-made-cameras/
Australia’s Defense Department said that they will remove surveillance cameras made by Chinese Communist Party-linked companies from its buildings.
Australia’s Defense Department will remove surveillance cameras made by Chinese Communist Party-linked companies from its buildings, the government said Thursday after the U.S. and Britain made similar moves.
Tomi Engdahl says:
ICS/OTSiemens Drives Rise in ICS Vulnerabilities Discovered in 2022: Report
More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.
https://www.securityweek.com/siemens-drives-rise-in-ics-vulnerabilities-discovered-in-2022-report/
The number of vulnerabilities discovered in industrial control systems
(ICS) continues to increase, and many of them have a critical or high severity rating, according to a new report from industrial cybersecurity firm SynSaber. The report compares the number of ICS and ICS medical advisories published by CISA between 2020 and 2022. While the number of advisories was roughly the same in 2021 and 2022, at 350, the number of vulnerabilities discovered last year reached 1,342, compared to 1,191 in the previous year. The number of vulnerabilities rated critical has increased even more significantly, from 186 in 2021 to nearly 300 in 2022. In total, nearly 1,000 vulnerabilities are critical or high severity based on their CVSS score.
Tomi Engdahl says:
IoT Security
NIST Picks Ascon Algorithms to Protect Data on IoT, Small Electronic Devices
https://www.securityweek.com/nist-picks-ascon-algorithms-to-protect-data-on-iot-small-electronic-devices/
NIST selects the Ascon cryptographic algorithms as the standard to protect data flowing through IOT and small electronic devices.
The National Institute of Standards and Technology (NIST) has selected a group of cryptographic algorithms called Ascon as the lightweight cryptography standard to protect data flowing through IoT devices.
Following a multi-year effort that included security code reviews, NIST announced the Ascon family of algorithms will soon be the standard to protect data created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators.
The Ascon algorithms, developed in 2014 by a team of cryptographers from Graz University of Technology, Infineon Technologies, Lamarr Security Research and Radboud University, are designed for miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles.
According to NIST, these tiny devices need “lightweight cryptography” — protection that uses the limited amount of electronic resources they possess
The Ascon family was selected in 2019 as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition, a sign that Ascon had withstood years of examination by cryptographers, NIST said in a note announcing the choice.
The standards body expects Ascon to power two of the most important tasks in lightweight cryptography: authenticated encryption with associated data (AEAD) and hashing.
The Institute made it clear that the new algorithms are not intended to be used for post-quantum encryption.
“One of the Ascon variants offers a measure of resistance to the sort of attack a powerful quantum computer might mount. However, that’s not the main goal here,”
Tomi Engdahl says:
IoT:stä puuttuvan S:n (security) voi korvata poistamalla myös I:n eli nalle puhin kotiin soittelumahdollisuuden. Ihme, että vielä tuollaista maalaisjärkeä on tarjolla.
Tomi Engdahl says:
Kiinalaiset valvontakamerat laitettiin boikottiin Yhdysvalloissa, Suomessa niitä käytetään yhä julkisessa liikenteessä – kysyimme, miksi
Kiinan valtion omistaman Hikvisionin valvontateknologia on joutunut kieltolistalle useissa eri maissa tietoturvapuutteiden takia. Jokaista Tampereen ratikkaa valvoo neljätoista Hikvisionin kameraa.
https://yle.fi/a/74-20017670
Tomi Engdahl says:
Ransomware attacks on industrial infrastructure doubled in 2022:
Dragos
https://therecord.media/dragos-ransomware-report-2022-ics-ot-lockbit/
The number of ransomware attacks on industrial infrastructure doubled last year, according to research from the cybersecurity firm Dragos.
The company tracked more than 600 ransomware attacks in 2022 affecting industrial infrastructure up 87% over the year before with nearly three-quarters of them targeting the manufacturing sector. So theyre definitely going after manufacturing. A heck of a lot more than electrical and gas, Rob Lee, CEO of Dragos, told reporters last week.
Cybercriminals increasingly targeted the operational technology (OT) and industrial control systems (ICS) that manage the core functions of factories and other industrial facilities
Tomi Engdahl says:
Just Released Dragoss Latest ICS/OT Cybersecurity Year in Review Is Now Available https://www.dragos.com/blog/industry-news/2022-dragos-year-in-review-now-available/
In 2022, breakthrough evolution in the development of malware targeting industrial control systems (ICS), scaled ransomware attacks against manufacturing, and geopolitical tensions brought increased attention to the industrial cyber threat landscape. As in previous years, the ICS/OT community has managed a growing number of vulnerabilities, many without the right mitigations needed to reduce risk and maintain operations. Meanwhile electric grids, oil and gas pipelines, water systems, and manufacturing plants continued to struggle with more complex regulatory environments that demand marked progress in shoring up defenses
Tomi Engdahl says:
Honeypot-Factory: The Use of Deception in ICS/OT Environments https://thehackernews.com/2023/02/honeypot-factory-use-of-deception-in.html
There have been a number of reports of attacks on industrial control systems (ICS) in the past few years. Looking a bit closer, most of the attacks seem to have spilt over from traditional IT. That’s to be expected, as production systems are commonly connected to ordinary corporate networks at this point. Though our data does not indicate at this point that a lot of threat actors specifically target industrial systems in fact, most evidence points to purely opportunistic behaviour the tide could turn any time, once the added complexity of compromising OT environments promises to pay off. Criminals will take any chance they get to blackmail victims into extortion schemes, and halting production can cause immense damage. It is likely only a matter of time. So cybersecurity for operational technology (OT) is vitally important.
Tomi Engdahl says:
ICS Vulnerabilities Chained for Deep Lateral Movement and Physical Damage
https://www.securityweek.com/ics-vulnerabilities-chained-for-deep-lateral-movement-and-physical-damage/
Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.
Researchers at cybersecurity firm Forescout have shown how various vulnerabilities discovered in recent years in industrial control systems (ICS) can be chained for deep lateral movement in operational technology (OT) networks, and even to cause significant physical damage.
Two vulnerabilities found last year in Schneider Electric’s Modicon programmable logic controllers (PLCs) are at the center of this research. The security holes can be exploited for remote code execution (CVE-2022-45788) and authentication bypass (CVE-2022-45789), and they were addressed by the industrial giant in January.
The issues were actually discovered as part of Forescout’s OT:Icefall research, which led to the discovery of dozens of flaws across the products of several major vendors. However, Schneider had asked the security firm not to disclose these two vulnerabilities when it made the OT:Icefall research public.
The Modicon PLC vulnerabilities can be chained with known security flaws in products from other vendors for an exploit that enables deep lateral movement in an OT network.
Tomi Engdahl says:
2022 ICS Attacks: Fewer-Than-Expected on US Energy Sector, But Ransomware Surged
https://www.securityweek.com/2022-ics-attacks-fewer-than-expected-on-us-energy-sector-but-ransomware-surged/
Dragos ICS/OT Cybersecurity Year in Review 2022 report covers state-sponsored attacks, ransomware, and vulnerabilities.
Industrial cybersecurity company Dragos on Tuesday published its ICS/OT Cybersecurity Year in Review report for 2022, sharing details on state-sponsored attacks and malware, as well as ransomware and vulnerabilities.
When it comes to malware designed specifically to target industrial control systems (ICS), the discovery of Pipedream/Incontroller is the most significant event. This ICS attack framework, linked to Russia and aimed at energy facilities, has the capabilities to impact tens of thousands of industrial systems that control critical infrastructure.
In addition, the existence of Industroyer2 came to light last year. The malware, used in an attack aimed at an energy provider in Ukraine, is designed to cause damage by manipulating ICS.
In total, seven pieces of ICS malware have been discovered to date, including Stuxnet, Havex, BlackEnergy2, CrashOverride, and Trisis.
In addition to new malware, 2022 saw two threat actors being added to the list of groups targeting industrial organizations: Chernovite, which is the developer of Pipedream, and Bentonite, an Iran-linked actor that opportunistically targeted maritime oil and gas, government and manufacturing organizations for espionage and disruption.
Dragos has been tracking 20 threat groups that have targeted industrial organizations, eight of which were active in 2022.
Dragos has been keeping track of security advisories containing incorrect data and found that 34% of the ones published in 2022 were in this category. Worryingly, 70% of the vulnerabilities described in these advisories were more severe in reality compared to what the advisory said.
The complete Dragos ICS/OT Cybersecurity Year in Review 2022 report is available in PDF format.
https://hub.dragos.com/hubfs/312-Year-in-Review/2022/Dragos_Year-In-Review-Report-2022.pdf?hsLang=en
Tomi Engdahl says:
Application Security Protection for the Masses
https://www.securityweek.com/application-security-protection-for-the-masses/
While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in a self-service manner are becoming increasingly popular.
Tomi Engdahl says:
IoT-datan salaus sai kauan odotetun standardin
https://etn.fi/index.php/13-news/14599-iot-datan-salaus-sai-kauan-odotetun-standardin
Kuinka suojata pienten laitteiden kuten IoT-laitteiden generoima data, kun se pitää siirtää verkon yli prosessoitavaksi. NIST eli National Institute of Standards and Technology on saanut valmiiksi kilpailunsa, jossa etsittiin ratkaisua alueen standardiksi. Voittajaksi ylsi Ascon-niminen salausalgoritmien ryhmä, joka julkaistaan NIST:n kevyenä salausstandardina myöhemmin tänä vuonna.
Ascon-algoritmit valikoituivat voittajaksi 10 finalistin joukosta. Valinta perustui useisiin kriteereihin. – Kyky tarjota tietoturva oli ensiarvoisen tärkeää, mutta meidän piti ottaa huomioon myös sellaisia tekijöitä kuin ehdokasalgoritmin suorituskyky ja joustavuus nopeuden, koon ja energiankäytön suhteen, McKay selittää.
Asconin kehitti vuonna 2014 Grazin teknillisen yliopiston, Infineon Technologiesin, Lamarr Security Researchin ja Radboudin yliopiston kryptografien ryhmä. Se valittiin vuonna 2019 ensisijaiseksi valinnaksi kevyelle autentikoidulle salaukselle CAESAR-kilpailun lopullisessa salkussa, mikä on merkki siitä, että Ascon oli kestänyt kryptografien murtoyritykset vuosien ajan.
Ascon-perheeseen kuuluu tällä hetkellä seitsemän jäsentä, joista osa tai kaikki voivat tulla osaksi NISTin julkaistua kevyttä kryptografiastandardia. Koko perheenä versiot tarjoavat erilaisia toimintoja, jotka tarjoavat suunnittelijoille vaihtoehtoja erilaisiin tehtäviin. Kaksi näistä tehtävistä ovat tärkeimpiä kevyessä kryptografiassa: todennettu salaus liittyvillä tiedoilla (AEAD) ja hajautus.
AEAD suojaa viestin luottamuksellisuutta, mutta se mahdollistaa myös lisätietojen – kuten viestin otsikon tai laitteen IP-osoitteen – sisällyttämisen salaamatta. Algoritmi varmistaa, että kaikki suojatut tiedot ovat aitoja ja että ne eivät ole muuttuneet siirron aikana. AEAD:tä voidaan käyttää ajoneuvojen välisessä viestinnässä, ja se voi myös auttaa estämään sellaisten viestien väärennöksiä, jotka on vaihdettu radiotaajuustunnistustunnisteilla (RFID), jotka usein auttavat jäljittämään varastoissa olevia paketteja.
Kannattaa panna merkille, ettei IoT-datan salaus on ns. kvanttisalaus. Yksi Asconin versioista tarjoaa vastustuskyvyn sellaisille hyökkäyksille, joita tehokas kvanttitietokone saattaa yrittää. Tällainen PQC-salaus eli kvanttikoneenkestävä salaus on tärkeä pitkäaikaisille salaisuuksille, joita on suojattava vuosia. Yleensä kevyttä kryptografiaa käytetään lyhytaikaiseen datan salaamiseen.
Tomi Engdahl says:
https://www.securityweek.com/ics-vulnerabilities-chained-for-deep-lateral-movement-and-physical-damage/
Tomi Engdahl says:
Published XIoT Vulnerabilities Trend Down, but Vigilance Must Remain High: Report
https://www.securityweek.com/published-xiot-vulnerabilities-trend-down-but-vigilance-must-remain-high-report/
While the total number of new XIoT vulnerabilities is reducing, the difficulty in securing these devices remains high – especially in OT situations.
Published XIoT vulnerabilities are trending down and have been since 2021. At the same time, the percentage of vulnerabilities published by the device manufacturer rather than third-party researchers is trending up. The clear implication is device manufacturers are taking greater responsibility for the security of their own devices.
The reason is probably twofold: government pressure and commercial reality. The introduction of SBOM’s has focused manufacturers’ attention on the software make-up of their devices, while the increasing frequency of adversarial attacks against critical industries – especially healthcare – is making buyers question the security of devices before they purchase.
This does not mean that companies can relax vigilance around their cyber-physical devices. A report (PDF) from Claroty’s Team82 research arm on the state of XIoT security in 2H, 2022 notes that 688 vulnerabilities were published in this period – and that 74% affected OT devices. Four hundred and eighty-seven of the total number of vulnerabilities were assessed as either critical or high severity under CVSS v3. The potential effect of a successful attack against such OT systems, especially in critical infrastructure companies, could be extreme.
Team82 reported 65 of the vulnerabilities. Thirty of these had a CVSS v3 critical rating of 9.5 or higher.
https://web-assets.claroty.com/state-of-xiot-security-report-2h-2022-(2).pdf
Tomi Engdahl says:
Question:
Why exactly does a vacuum cleaner need a camera and internet access?
https://www.marketplace.org/shows/marketplace-tech/how-private-images-captured-by-a-robot-vacuum-ended-up-online/amp/
Tomi Engdahl says:
Tekoäly suojaamaan tuotantoa – myös 5G-laitteita
https://www.uusiteknologia.fi/2023/02/27/tekoaly-suojaamaan-tuotantoa-myos-5g-laitteita/
Amerikkalainen tietoturvatalo Palo Alto Networks on esitellyt teollisuuteen suunnatun Zero Trust OT Security -järjestelmän, jonka luvataan turvaavan tekoälyn avulla teollisuuden laitteiden myös 5G-tekniikkaa käyttävät laitteet.
Amerikkalainen Palo Alto Networks on verkon uhkatilanteisiin ja niiden aiheuttamaan haasteisiin kehittämällä nollaluottamustekniikkaan perustuvan OT-suojauksen. Zero Trust OT Security -suojausjärjestelmän avulla teollisuus- ja tuotantopalvelut voidaan turvata entistä tehokkaammin erilaisilta kyberhyökkäyksiltä.
Monet teollisuusjärjestelmät ja tuotantoratkaisut muodostavat niin merkittävän osan tuotantoketjujen toimintaa, että niiden vaarantuminen voi asettaa ihmiset ja näiden hyvinvoinnin vaakalaudalle. Myös infrastruktuurin joutuminen uhkille alttiiksi voi johtaa katastrofaalisiin seurauksiin.
Uhkakuvat ovat todellisia, sillä esimerkiksi Gartner-tutkimuslaitoksen mukaan teollisuuden OT-laitteiden valmistusmäärissä ennakoidaan jopa 400 prosentin kasvua vuoteen 2030 mennessä. Kasvavan laitekannan myötä myös hyökkäysmäärät kasvavat. NTT-yhtiön mukaan valmistus- ja tuotantosektoriin kohdistuvat hyökkäykset lisääntyivät peräti 300 prosentilla vuonna 2021.
Osana yrityksen Zero Trust OT Security -suojausjärjestelmää se julkisti Industrial OT Security -turvallisuuspalvelun, joka on suunniteltu tuotantolaitteiden suojaukseen. Palvelu käyttää tekoälypohjaista ML-teknologiaa tunnistamaan yli 340 erilaista OT-laiteprofiilia ja yli 1070 erilaista OT/ICS-sovellusta sekä suojaamaan järjestelmän yli 650 erilaiselta OT-uhkatekijältä.
Palo Alton Zero Trust OT Security -suojausjärjestelmää voidaan käyttää kolmella eri yhdistelmällä, joita ovat yhdistäminen uuden sukupolven palomuureihin, yhteiskäyttö Prisma SASE -järjestelmän kanssa ja integrointi osaksi Palo Alto Networks 5G-Native Security -palvelua. Haluttaessa Zero Trust OT Security voidaan yhdistää myös monien muiden Palo Alto Networks -turvapalveluiden kanssa.
https://www.paloaltonetworks.com/network-security/zero-trust-ot-security
Tomi Engdahl says:
Palo Alto Networks Unveils Zero Trust OT Security Solution
https://www.securityweek.com/palo-alto-networks-unveils-zero-trust-ot-security-solution/
Palo Alto Networks introduces a new OT security solution for industrial organizations that provides visibility, zero trust and simplified operations.
Tomi Engdahl says:
Edge Security in an Insecure World
https://www.mouser.com/empowering-innovation/more-topics/ai?utm_source=endeavor&utm_medium=display&utm_campaign=ed-personifai-eit-ai-#article2-ai
As the cost of embedded networked devices falls—consider the Raspberry Pi as one example—they become ubiquitous. But, a hidden cost in this proliferation is that these devices can lack security and therefore be exploited. Without the investment in security, devices can leak private information—such as video, images, or audio—or become part of a botnet that wreaks havoc around the world.
Edge Computing in a Nutshell
Edge computing is a paradigm of shifting centralized compute resources closer to the source of data. This produces a number of benefits including:
Disconnected operation
Faster response time
Improved balance of compute needs across the spectrum
Securing a Device
To look at a device and understand how it can be exploited, we look at what’s called the attack surface. The attack surface for a device represents all of the points where an attacker can attempt to exploit or extract data from a device. This attack surface could include:
The network ports that interface to the device
The serial port
The firmware update process used to upgrade the device
The physical device itself
Attack Vectors
The attack surface defines the device’s exposure to the world and becomes the focus of defense for security. Securing a device is then a process of understanding the possible attack vectors for a device and protecting them to reduce the surface.
Common attack vectors typically include:
Interfaces
Protocols
Services
Tomi Engdahl says:
https://ticonnectivityfundamentals.com/
Tomi Engdahl says:
Designing for Security
https://www.mouser.com/empowering-innovation/more-topics/designing-for-security?utm_source=endeavor&utm_medium=display&utm_campaign=ed-personifai-eit2022#video-security
System hacks and attacks are in the news all too frequently these days. Even small embedded systems are vulnerable to various attack vectors. Security must be built into the design from the ground up, starting with architecture selection and component choice. This topic presents an updated view of designing with security in mind including hardware features available in the latest MCU, software tools and techniques, and the newest stand-alone security products.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2023/02/27/tekoaly-suojaamaan-tuotantoa-myos-5g-laitteita/
Tomi Engdahl says:
Uncovered: 1,000 phrases that incorrectly trigger Alexa, Siri, and Google Assistant
“Election” can trigger Alexa; “Montana” can trigger Cortana.
https://arstechnica.com/information-technology/2020/07/uncovered-1000-phrases-that-incorrectly-trigger-alexa-siri-and-google-assistant/
As Alexa, Google Home, Siri, and other voice assistants have become fixtures in millions of homes, privacy advocates have grown concerned that their near-constant listening to nearby conversations could pose more risk than benefit to users. New research suggests the privacy threat may be greater than previously thought.
The findings demonstrate how common it is for dialog in TV shows and other sources to produce false triggers that cause the devices to turn on, sometimes sending nearby sounds to Amazon, Apple, Google, or other manufacturers. In all, researchers uncovered more than 1,000 word sequences—including those from Game of Thrones, Modern Family, House of Cards, and news broadcasts—that incorrectly trigger the devices.
“The devices are intentionally programmed in a somewhat forgiving manner, because they are supposed to be able to understand their humans,” one of the researchers, Dorothea Kolossa, said. “Therefore, they are more likely to start up once too often rather than not at all.”
That which must not be said
Examples of words or word sequences that provide false triggers include
Alexa: “unacceptable,” “election,” and “a letter”
Google Home: “OK, cool,” and “Okay, who is reading”
Siri: “a city” and “hey jerry”
Microsoft Cortana: “Montana”
after mistakenly concluding that these are likely a wake word, the devices then send the audio to remote servers where more robust checking mechanisms also mistake the words for wake terms. In other cases, the words or phrases trick only the local wake word detection but not algorithms in the cloud.
Unacceptable privacy intrusion
When devices wake, the researchers said, they record a portion of what’s said and transmit it to the manufacturer. The audio may then be transcribed and checked by employees in an attempt to improve word recognition. The result: fragments of potentially private conversations can end up in the company logs.
The risk to privacy isn’t solely theoretical. In 2016, law enforcement authorities investigating a murder subpoenaed Amazon for Alexa data transmitted in the moments leading up to the crime. Last year, The Guardian reported that Apple employees sometimes transcribe sensitive conversations overheard by Siri. They include private discussions between doctors and patients, business deals, seemingly criminal dealings, and sexual encounters.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-tpm-20-flaws-could-let-hackers-steal-cryptographic-keys/
Tomi Engdahl says:
Critical Vulnerabilities Allow Hackers to Take Full Control of Wago PLCs
https://www.securityweek.com/critical-vulnerabilities-allow-hackers-to-take-full-control-of-wago-plcs/
Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).
German industrial automation solutions provider Wago has released patches for several of its programmable logic controllers (PLCs) to address four vulnerabilities, including ones that can be exploited to take full control of the targeted device.
During the analysis of Wago PLCs, the researcher discovered several vulnerabilities in the web-based management interface designed for administering, commissioning and updating devices.
Germany’s CERT@VDE has published an advisory that describes the vulnerabilities and shares information on impacted products and versions.
Two of the flaws have been assigned a critical severity rating based on their CVSS score. One of them, a missing authentication issue tracked as CVE-2022-45138, can be exploited by an unauthenticated attacker to read and set some device parameters, which can lead to a full compromise of the controller.
The second critical vulnerability, CVE-2022-45140, allows an unauthenticated attacker to write arbitrary data with root privileges, which can result in arbitrary code execution and a full system compromise.
In a real-world attack, a threat actor could exploit these vulnerabilities to maliciously control actuators, falsify sensor measurements, and disable all safety controls, the researcher explained.
https://cert.vde.com/de/advisories/VDE-2022-060/
The web-based management of affected products is vulnerable to Reflective Cross-Site Scripting. This can be used to install malicious code and to gain access to confidential information on a System that connects to the WBM after it has been compromised.
Additionally, the web-based management of affected products is vulnerable to stealing and setting device parameters and remote code execution by an unauthenticated attacker.
Mitigation
If not needed, you can deactivate the web-based management to prevent attacks (command line)
Restrict network access to the device.
Do not directly connect the device to the internet
Remediation
We recommend all users of affected products to install FW22 Patch 1 or FW 24 or higher.
Tomi Engdahl says:
PC-turvasiruissa vakava haavoittuvuus
https://etn.fi/index.php/13-news/14677-pc-turvasiruissa-vakava-haavoittuvuus
TPM eli Trusted Platform Module on moduuli, joka takaa arkaluontoisen datan säilymisen PC-koneilla. Nyt tietoturvatutkijat ovat löytäneet kaksi haavoittuvuutta TPM 2.0 -siruista. Ongelma saattaa vaikuttaa jopa miljardeihin laitteisiin.
TPM-salauspiiri vaaditaan kaikille koneille, joilla halutaan asentaa Windows 11 -käyttöjärjestelmä. Nyt TPM 2.0 -viitekirjaston määrittelystä on löytynyt kaksi vaarallista puskurin ylivuotohaavoittuvuutta. Haavoittuvuuksien hyödyntäminen on mahdollista vain todennetulla paikallisella käyttäjätilillä, mutta pieni pätkä haittaohjelmaa voisi tehdä saman asian.
Näitä kahta haavoittuvuutta jäljitetään nimillä CVE-2023-1017 ja CVE-2023-1018 tai “out-of-bounds write”- ja “out-off-bounds read” -virheinä. Ongelma havaittiin TPM 2.0:n moduulikirjastosta, joka mahdollistaa kahden “ylimääräisen tavun” kirjoittamisen (tai lukemisen) CryptParameterDecryption-rutiinissa TPM 2.0 -komennon jälkeen.
Kirjoittamalla erityisesti muotoiltuja haitallisia komentoja hyökkääjä voi hyödyntää haavoittuvuuksia kaataakseen TPM-sirun tehden sen “käyttökelvottomaksi”. Tämän jälkeen TPM:n suojatussa muistissa voidaan ajaa muuta koodia. Sirulta voidaan lukea arkaluonteisia tietoja, jotka on tallennettu sirun eristettyyn turvamuistiin.
CVE-2023-1017- ja CVE-2023-1018-haavoittuvuuksien onnistunut hyödyntäminen voi vaarantaa kryptografiset avaimet, salasanat ja muut tärkeät tiedot. Tämä voi käytännössä rikkoa TPM-pohjaisten käyttöjärjestelmien, kuten Windows 11:n suojauksen.
Tomi Engdahl says:
Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms
https://www.securityweek.com/counting-ics-vulnerabilities-examining-variations-in-numbers-reported-by-security-firms/
Reports published by various industrial cybersecurity companies provide different numbers on ICS vulnerabilities — here’s why.
Reports published in the past couple of months by various industrial cybersecurity companies provide different numbers when it comes to the vulnerabilities discovered in industrial control system (ICS) products in 2022. SecurityWeek has analyzed the methodologies used by these companies in an effort to understand the discrepancies in numbers and trends.
Some companies have reported seeing an increase in the number of ICS vulnerabilities, while others claim there has been a drop. However, looking at their methodologies helps clear up any confusion and shows that the contradictory trends result from the use of different sources and different methods of counting security holes.
SecurityWeek’s analysis of the various reports shows that the number of ICS vulnerabilities has continued to grow, which is not surprising considering that security researchers are increasingly interested in this field and vendors are also stepping up their game and finding more flaws. But let’s take a look at why some headlines might suggest differently.
In its recent ICS/OT Cybersecurity Year in Review report, industrial cybersecurity firm Dragos reported seeing 2,170 CVEs in 2022, which represents a 27% increase compared to the previous year.
Dragos has reported the highest number of ICS vulnerabilities, which is explained by the fact that the company is tracking more sources than any other vendor. Its sources include advisories from the Cybersecurity and Infrastructure Security Agency (CISA), Germany’s CERT@VDE and Japan’s JP-CERT, as well as advisories from individual vendors and raw data from NIST. The company’s own researchers have also discovered vulnerabilities, which are included in the count.
While other ICS/OT security firms may not use as many data sources, they still reported seeing an increase in the number of vulnerabilities.
SynSaber, which only counts vulnerabilities from CISA’s ICS advisories, cataloged 1,342 vulnerabilities in 2022, compared to 1,191 in 2021 — excluding ICS medical vulnerabilities covered by CISA advisories.
Claroty recently reported that XIoT vulnerabilities were trending down in the past three quarters, with 819 issues disclosed in H2 2021, 747 in H1 2022, and 688 in H2 2022. However, these numbers include not just ICS/OT vulnerabilities, but also some medical, IT and IoT issues, as well as flaws affecting multiple types of products.
When it comes to ICS/OT vulnerabilities alone, Claroty cataloged a total of 940 in 2022, up from 826 in 2021.
IBM recently reported that for the first time in two years, the number of ICS vulnerabilities has decreased, from 715 in 2021 to 457 in 2022. The numbers are far lower compared to what other vendors have reported.
The difference in the number of vulnerabilities reported by each of these companies can also come from the way vulnerabilities are counted.
Tomi Engdahl says:
Edward Graham / Nextgov:
CISA launches a pilot program to warn critical infrastructure owners with “internet-accessible vulnerabilities commonly associated with known ransomware actors” — The new pilot program will enable “timely risk reduction” by alerting critical infrastructure owners and operators …
More: CISA, CISA, Qualys Security Blog, Infosecurity, and Risky Business News
CISA Launches Ransomware Warning Pilot for Critical Infrastructure
https://www.nextgov.com/cybersecurity/2023/03/cisa-launches-ransomware-warning-pilot-critical-infrastructure/383963/
The new pilot program will enable “timely risk reduction” by alerting critical infrastructure owners and operators of vulnerabilities within their systems that are susceptible to ransomware attacks.
The Cybersecurity and Infrastructure Security Agency publicly announced on Monday that it has established a pilot program to identify vulnerabilities within critical infrastructure systems that are known to be exploited by ransomware groups and threat actors.
According to CISA, the ransomware vulnerability warning pilot—or RVWP—will “identify organizations with internet-accessible vulnerabilities commonly associated with known ransomware actors by using existing services, data sources, technologies and authorities, including our free Cyber Hygiene Vulnerability Scanning service.”
The RVWP first began on Jan. 30, when CISA contacted 93 organizations “identified as running instances of Microsoft Exchange Service with a vulnerability called ‘ProxyNotShell,’ which has been widely exploited by ransomware actors.”
“This initial round of notifications demonstrated the effectiveness of this model in enabling timely risk reduction as we further scale the RVWP to additional vulnerabilities and organizations,” CISA said.
The pilot program was created in response to the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, a 2022 law that required CISA “to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments” to the agency. CISA said the RVWP would be “coordinated by and aligned with the Joint Ransomware Task Force,” an interagency body that was also established by CIRCIA.
Tomi Engdahl says:
Industrial Automated Control System (IACS) Cybersecurity
Tomi Engdahl says:
A Look at The 2023 Global Automotive Cybersecurity Report https://www.tripwire.com/state-of-security/global-automotive-cybersecurity-report
Recently, Upstream published their 2023 Global Automotive Cybersecurity Report. In it, they explored the cybersecurity threats that plague the automotive industry, as well as the things the sector can do to protect itself as these threats continue to evolve. Here’s a closer look at five important findings in this comprehensive document
Tomi Engdahl says:
Leverage cloud-powered security with Microsoft Defender for IoT https://www.microsoft.com/en-us/security/blog/2023/03/20/leverage-cloud-powered-security-with-microsoft-defender-for-iot/
Traditionally, operational technology (OT) and IT have occupied separate sides of enterprise security. But with digital transformation and the advent of Industry 4.0, the old, siloed approach is showing its age. In this blog, we’ll look at today’s connected OT environment, including the advantages of cloud-managed security and how a converged security operations center (SOC) can offer advantages over the traditional siloed approach.
Tomi Engdahl says:
https://en.wikipedia.org/wiki/IEC_62443
Tomi Engdahl says:
Waterfall Security, TXOne Networks Launch New OT Security Appliances
Waterfall Security Solutions and TXOne Networks have each announced launching new OT security appliances.
https://www.securityweek.com/waterfall-security-txone-networks-launch-new-ot-security-appliances/
Waterfall Security Solutions and TXOne Networks have each announced launching new security appliances for operational technology (OT) environments.
TXOne last week announced the worldwide availability of the EdgeIPS 103 intrusion prevention system (IPS), which is designed for protecting mission-critical machines against cyber threats.
According to the industrial cybersecurity firm, the EdgeIPS 103 appliance provides virtual patching, comprehensive asset visibility, centralized management, and network segmentation capabilities.
The appliance is compact, it’s designed to work in harsh environments, provides flexible deployment options, and supports a wide range of industrial protocols. The product can be deployed in OT networks without disrupting operations, TXOne said.
Waterfall Security Solutions on Monday announced the launch of the WF-600 Unidirectional Security Gateway. The company advertises these gateways as an alternative to firewalls.
The WF-600 Unidirectional Security Gateway provides visibility into OT networks, systems and data.
Using the product does not require the installation of any software on industrial or enterprise computers. The network appliance works with a wide range of historians, IIoT and industrial protocols, intrusion detection and monitoring systems, and OPC servers.
Other recently announced OT security products
Palo Alto Networks last month introduced a new OT security solution that provides visibility, zero trust and simplified operations.
The new solution is named Zero Trust OT Security and a service called Industrial OT Security is a key component. Industrial OT Security is a cloud-delivered service that provides comprehensive visibility into cyber-physical systems.
The solution provides visibility, segmentation and least-privilege access control, continuous risk monitoring, and continuous security inspection capabilities.
Also last month, the National Rural Electric Cooperative Association (NRECA) announced the commercial launch of an OT security solution named Essence, which can be used by electricity providers, as well as other other types of utilities, including gas and water providers.
Tomi Engdahl says:
We (Did!) Start the Fire: Hacktivists Increasingly Claim Targeting of OT Systems https://www.mandiant.com/resources/blog/hacktivists-targeting-ot-systems
In this blog post, Mandiant offers a comprehensive analysis of recent hacktivist activity targeting OT systems. Mandiant was able to leverage information from previously undisclosed and known incidents to discuss the potential implications for OT defenders. Awareness about emerging hacktivism trends helps OT defenders to prioritize countermeasures and differentiate state-sponsored fronts leveraging the hacktivism cloak
Tomi Engdahl says:
Edge Security in an Insecure World
By M. Tim Jones for Mouser Electronics
Sponsor: NXP
https://www.mouser.com/empowering-innovation/more-topics/ai?utm_source=endeavor&utm_medium=display&utm_campaign=ed-personifai-eit-ai-#article2-ai
Tomi Engdahl says:
Moobot Strikes Again – Targeting Cacti And RealTek Vulnerabilities https://www.fortinet.com/blog/threat-research/moobot-strikes-again-targeting-cacti-and-realtek-vulnerabilities
FortiGuard Labs observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware. ShellBot is a malware developed in Perl that uses the Internet Relay Chat (IRC) protocol to communicate with the server, also known as PerlBot. Moobot is a Mirai variant botnet that targets exposed networking dev. Moobot is a Mirai variant botnet that targets exposed networking devices. Compromised endpoints can be controlled by its C&C server and deliver further attacks, such as distributed denial-of-service attacks. The vulnerabilities mentioned above have a critical security impact that can lead to remote code execution. Therefore, it is highly recommended that patches and updates be applied as soon as possible
Tomi Engdahl says:
Researchers Spot Silicon-Level Hardware Trojans in Chips, Release Their Algorithm for All to Try
Using thousands of electron microscope images and the original chip layout, 37 of 40 deliberate modifications were spotted.
https://www.hackster.io/news/researchers-spot-silicon-level-hardware-trojans-in-chips-release-their-algorithm-for-all-to-try-ba00bbd56248
Tomi Engdahl says:
Bluetooth hack breaks into cars and smart locks
Devices from deadbolts to car doors could be affected.
https://www.freethink.com/technology/ble-smartlock-hack#Echobox=1679410791
Tomi Engdahl says:
The NUIT Attack Uses Near-Ultrasound Audio to Silently Command Your Voice Assistant
By embedding commands in YouTube videos, streaming music, or even voice calls and Zoom meetings, NUIT can silently take control.
https://www.hackster.io/news/the-nuit-attack-uses-near-ultrasound-audio-to-silently-command-your-voice-assistant-6d500487570b
Tomi Engdahl says:
FDA Announces New Cybersecurity Requirements for Medical Devices
https://www.securityweek.com/fda-announces-new-cybersecurity-requirements-for-medical-devices/
The FDA is asking medical device manufacturers to provide cybersecurity-related information when submitting an application for a new product.
According to the FDA, submissions for new medical devices will need to include specific cybersecurity-related information, such as the description of a plan for identifying and addressing vulnerabilities and exploits in a reasonable time.
Companies must also provide details on the processes and procedures for releasing postmarket updates and patches that address security issues, including through regular updates and out-of-band patches in the case of critical vulnerabilities.
The information provided to the FDA must also include a software bill of materials (SBOM) for commercial, open source and off-the-shelf components.
The requirements apply to cyber devices — this is any device that runs software, has the ability to connect to the internet, and could be vulnerable to cyber threats.
The new cybersecurity requirements do not apply to submissions prior to March 29, 2023, and the FDA will not reject applications solely on this requirement until October 1 — it will provide assistance to companies until that date. However, starting with October 1, the agency may start rejecting premarket submissions that do not contain the required information.
The FDA has also published an FAQ page that provides additional clarifications on the new requirements, as well as links to useful resources.
The US Cybersecurity and Infrastructure Security Agency (CISA) has been publishing advisories that describe vulnerabilities in medical devices, and a report published earlier this year by industrial cybersecurity firm SynSaber shows that the number of flaws reported in 2022 decreased to 23, from 87 in 2021 and 79 in 2021.
Cybersecurity in Medical Devices Frequently Asked Questions (FAQs)
https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity-medical-devices-frequently-asked-questions-faqs
Tomi Engdahl says:
Smart home assistants at risk from “NUIT” ultrasound attack https://www.malwarebytes.com/blog/news/2023/03/smart-home-assistants-at-risk-from-nuit-ultrasound-attack
A new form of attack named Near Ultrasound Inaudible Trojan (NUIT) has been unveiled by researchers from the University of Texas. NUIT is designed to attack voice assistants with malicious commands remotely via the internet. Impacted assistants include Siri, Alexa, Cortana, and Google Assistant. This attack relies on abusing the high sensitivity of microphones found in these IoT devices. Theyre able to pick up what is described as the near-ultrasound frequency range (16kHz – 20kHz), and this is where NUIT lurks
Tomi Engdahl says:
ETSI EN 303 645 V2.1.1 (2020-06)
CYBER;
Cyber Security for Consumer Internet of Things:
Baseline Requirements
https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf
Tomi Engdahl says:
https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI_ID=66917&curItemNr=9&totalNrItems=118&optDisplay=10&titleType=all&qSORT=HIGHVERSION&qETSI_ALL=&SearchPage=TRUE&qTB_ID=824%3BCYBER&qINCLUDE_SUB_TB=True&qINCLUDE_MOVED_ON=&qSTOP_FLG=N&qKEYWORD_BOOLEAN=OR&qCLUSTER_BOOLEAN=OR&qFREQUENCIES_BOOLEAN=OR&qSTOPPING_OUTDATED=&butExpertSearch=Search&includeNonActiveTB=FALSE&includeSubProjectCode=FALSE&qREPORT_TYPE=SUMMARY
Cyber Security (CYBER); Mapping of specific requirements of standardization request for RED articles 3(3)(d), 3(3)(e) and 3(3)(f) to IEC 62443-4-2 requirements and to ETSI EN 303 645 provisions
Mapping RED to 62443-4-2 and 303 645
Scope and Field
of Application This NWI enables to provide mapping tables to show which security requirements and provisions from the IEC 62443-4-2 and the EN 303 645, respectively, cover the specific requirements from the standardization request for the RED articles 3(3)(d), 3(3)(e) and 3(3)(f) and are therefore relevant to fulfill the essential requirements given by the RED articles 3(3)(d), 3(3)(e) and 3(3)(f) (see alignment documents as additional contribution).
Supporting
Organizations Sporton International Inc, Schneider Electric Industries, umlaut, OPPO
ETSI TS 103 929 V1.1.1 (2023-02)
https://www.etsi.org/deliver/etsi_ts/103900_103999/103929/01.01.01_60/ts_103929v010101p.pdf
ETSI TS 103 929 V1.1.1 (2023-02)
Cyber Security (CYBER);
Mapping of specific requirements of standardization request
for RED articles 3(3)(d), 3(3)(e) and 3(3)(f) to IEC 62443-4-2
requirements and to ETSI EN 303 645 provisions
According to the standardization request [i.5], harmonised standards (hENs) are to be developed for the articles 3(3)(d),
3(3)(e) and 3(3)(f) of the Radio Equipment Directive (RED) [i.1]. Due to the adoption of the delegated act [i.2], the
essential requirements given in the RED articles 3(3)(d), 3(3)(e) and 3(3)(f) will come into force on the 1st of August
2024.
It is understood that requirements from IEC 62443-4-2 [i.4] and the provisions from ETSI EN 303 645 [i.3] address
many products that fall under the scope of the RED articles 3(3)(d), 3(3)(e) and 3(3)(f). The ETSI EN 303 645 [i.3]
goes even beyond the scope of the RED [i.1] as the ETSI EN 303 645 [i.3] does not only cover product-related
requirements, but also process-related requirements addressing the manufacturer
The present document provides mapping tables to show which security requirements and provisions from the
IEC 62443-4-2 [i.4] and the ETSI EN 303 645 [i.3], respectively, cover the specific requirements from the
standardization request for the RED articles 3(3)(d), 3(3)(e) and 3(3)(f) and are therefore relevant to fulfil the essential
requirements given by the RED articles 3(3)(d), 3(3)(e) and 3(3)(f). In addition, so-called transition requirements are
provided which help and are to be considered for implementing the transition from product conformity based on
provisions from ETSI EN 303 645 [i.3] and/or requirements from IEC 62443-4-2 [i.4] to product conformity based on
the RED Delegated Regulation [i.2]
Tomi Engdahl says:
Squeezing Secrets Out Of An Amazon Echo Dot
https://hackaday.com/2023/04/01/squeezing-secrets-out-of-an-amazon-echo-dot/
As we have seen time and time again, not every device stores our sensitive data in a respectful manner. Some of them send our personal data out to third parties, even! Today’s case is not a mythical one, however — it’s a jellybean Amazon Echo Dot, and [Daniel B] shows how to make it spill your WiFi secrets with a bit of a hardware nudge.
There’s been exploits for Amazon devices with the same CPU, so to save time, [Daniel] started by porting an old Amazon Fire exploit to the Echo Dot. This exploit requires tactically applying a piece of tin foil to a capacitor on the flash chip power rail, and it forces the Echo to surrender the contents of its entire filesystem, ripe for analysis. Immediately, [Daniel] found out that the Echo keeps your WiFi passwords in plain text, as well as API keys to some of the Amazon-tied services.
Found an old Echo Dot at a garage sale or on eBay? There might just be a WiFi password and a few API keys ripe for the taking, and who knows what other kinds of data it might hold. From Amazon service authentication keys to voice recognition models and maybe even voice recordings, it sounds like getting an Echo to spill your secrets isn’t all that hard.
“Alexa, what is my wifi password?”
https://dragon863.github.io/blog/alexa.html
Tomi Engdahl says:
The 2022 IoT Security Checklist
https://www.particle.io/iot-guides-and-resources/iot-security-checklist/
Tomi Engdahl says:
https://www.researchgate.net/figure/Security-levels-of-IoT-architecture_fig1_331298498
Tomi Engdahl says:
Your must-have IoT security checklist: ENISA’s online tool for IoT and Smart Infrastructures Security
https://www.enisa.europa.eu/news/enisa-news/your-must-have-iot-security-checklist-enisas-online-tool-for-iot-and-smart-infrastructures-security
ENISA releases today an online tool aimed at guiding IoT operators and industries of IoT and Smart Infrastructure when conducting risk assessments.
The tool, available at https://www.enisa.europa.eu/iot-tool , will help users save time when identifying threats and prioritising security areas of importance.
The tool provides a combined view of the security good practices that ENISA has been developing for the last years to secure IoT, Industry 4.0 and Smart Infrastructures, such as smart cars, smart airports, smart hospitals, and smart cities. The information provided through this tool for each thematic area reflects the information comprised in corresponding ENISA reports that have been released in the past.
The tool allows drawing comparisons between different IoT sectors, since the same ENISA threat taxonomy has been used when defining security measures.
When implementing IoT, each parameter or filter of the tool addresses the following issues:
What are the threat groups from which you want to protect your organisation?
What are the security domains you want to cover?
What security measures categories are you looking for?
Which security standards and best practices would you like to take into account when securing IoT in your organisation?
On the main webpage, the users of this tool can select the thematic area of interest and then identify the pertinent threats, standards or security measures. The tool accepts one or multiple search criteria to generate results that are most relevant to the users’ needs. Users can navigate through the list to find the Security Measures they seek, according to specific filters, such as Security Measures Category, Security Domains, Threat Groups or even Specific Standards. Additionally, the tool offers the option of either printing or exporting search results for further use.
Tomi Engdahl says:
8 Cybersecurity Steps When Designing an IoT Device: A Checklist
https://bgnetworks.com/8-cybersecurity-steps-when-designing-an-iot-device-a-checklist/
What is on your IoT Cybersecurity checklist? This question was posed by the folks at The Device Chronicle which led to a very interesting dialog. Below is a summary of that conversation discussing eight cybersecurity steps to consider when designing an IoT device. For additional information, check out our definitive IoT cybersecurity checklist on The Device Chronicle.
8 Cybersecurity Steps For an IoT Device
Here are the eight key cybersecurity steps developers should consider when designing an IoT device.
Consider the lifecycle of the device
Embrace IoT security by design
Perform a threat/risk analysis
Follow NIST IoT cybersecurity recommendations
Leverage processor security features or a Trusted Platform Module
Keep keys and code secure
Monitor and maintain the IoT device’s cybersecurity state
Prepare for End of Life (EOL)
Tomi Engdahl says:
Hackers can open Nexx garage doors remotely, and there’s no fix https://www.bleepingcomputer.com/news/security/hackers-can-open-nexx-garage-doors-remotely-and-theres-no-fix/
Multiple vulnerabilities discovered Nexx smart devices can be exploited to control garage doors, disable home alarms, or smart plugs. There are five security issues disclosed publicly, with severity scores ranging from medium to critical that the vendor has yet to acknowledge and fix. The most significant discovery is the use of universal credentials that are hardcoded in the firmware and also easy to obtain from the client communication with Nexx’s API. A video showing the impact of the security flaw, tracked as CVE-20231748, is available below. It could be used to open any Nexx-controlled garage door
Tomi Engdahl says:
https://www.popsci.com/technology/nexx-garage-door-cyber-vulnerability/
Tomi Engdahl says:
https://www.particle.io/iot-guides-and-resources/iot-security-checklist/
https://www.researchgate.net/figure/Security-levels-of-IoT-architecture_fig1_331298498