The 1.5 Billion Dollar Market: IoT Security

https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.

According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.

1,735 Comments

  1. Tomi Engdahl says:

    U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches https://www.cisa.gov/news-events/news/us-and-international-partners-publish-secure-design-and-default-principles-and-approaches
    The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands,. and New Zealand (CERT NZ, NCSC-NZ) published today “Shifting the Balance of Cybersecurity Risk:
    Principles and Approaches for Security-by-Design and -Default.”. This joint guidance urges software manufacturers to take urgent steps necessary to ship products that are secure-by-design and -default. To create a future where technology and associated products are safe for customers,. the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and
    - -default products to be shipped to customers.

    Reply
  2. Tomi Engdahl says:

    Press Release
    U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches  
    https://www.cisa.gov/news-events/news/us-and-international-partners-publish-secure-design-and-default-principles-and-approaches

     WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand (CERT NZ, NCSC-NZ

    ) published today “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.” This joint guidance urges software manufacturers to take urgent steps necessary to ship products that are secure-by-design and -default.  To create a future where technology and associated products are safe for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers. 

     This guidance, the first of its kind, is intended to catalyze progress toward further investments and cultural shifts necessary to achieve a safe and secure future. In addition to specific technical recommendations, this guidance outlines several core principles to guide software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products, including:  

    Take ownership of the security outcomes of their technology products, shifting the burden of security from the customers. A secure configuration should be the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors. 
    Embrace radical transparency and accountability—for example, by ensuring vulnerability advisories and associated common vulnerability and exposure (CVE) records are complete and accurate. 
    Build the right organizational structure by providing executive level commitment for software manufacturers to prioritize security as a critical element of product development.  

    “Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,”

    “Cyber security cannot be an afterthought,” said Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre. “Consumers deserve products that are secure from the outset. Strong and ongoing engagement between government, industry and the public is vital to putting cyber security at the centre of the technology design process.”

    Secure by Design, Secure by Default
    https://www.cisa.gov/securebydesign

    It’s time to build cybersecurity into the design and manufacture of technology products.
    Find out here what it means to be secure by design and secure by default.

    As America’s Cyber Defense Agency, CISA is charged with defending our nation against ever-evolving cyber threats and to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. But, as we introduce more unsafe technology to our lives, this has become increasingly difficult.

    Government cannot solve this problem alone. Technology manufacturers must increasingly embrace their role in putting consumer safety first. Technology providers and software developers must take the first step to shift this burden by claiming ownership of their customers’ security outcomes.

    What it Means to Be Secure by Design and Secure by Default

    Every technology provider must take ownership at the executive level to ensure their products are both secure by design and secure by default.

    What is Secure by Design?

    Secure by Design products are those where the security of the customers is a core business requirement, not just a technical feature. Secure by Design principles should be implemented during the design phase of a product’s development lifecycle to dramatically reduce the number of exploitable flaws before they are introduced to the market for broad use or consumption.

    What is Secure by Default?

    Secure by Default products are those that are secure to use out of the box, with little to no configuration changes and are available at no additional cost, such as multi-factor authentication (MFA), gather and log evidence of potential intrusions, and control access to sensitive information.

    Reply
  3. Tomi Engdahl says:

    CISA Introduces Secure-by-design and Secure-by-default Development Principles
    https://www.securityweek.com/cisa-introduces-secure-by-design-and-secure-by-default-development-principles/

    CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.

    CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.

    Pillar Three of the National Cybersecurity Strategy published on March 1, 2023 is titled ‘Shape market forces to drive security and resilience’. Within this section the Administration makes two points very clear. Firstly, security liability must be shifted away from the use of security products to the development of security products; and secondly, federal procurement power will be used to encourage this shift.

    Both points were previewed in a speech given by CISA director Jen Easterly at Carnegie Mellon days earlier (February 27, 2023). She noted that insecurity has become normalized, and that the onus is currently on the user to make use of products less risky. She said this must change, so that the user is forced into making usage more rather than less risky.

    Reply
  4. Tomi Engdahl says:

    ICs Protect System Infrastructure from Rogue Data
    April 19, 2023
    The MAXQ1065 ultra-low-power cryptographic controller with ChipDNA for embedded devices offers cryptographic functions for root of trust, authentication, secure boot and firmware updates, encryption, and TLS support.
    https://www.electronicdesign.com/technologies/embedded/security/video/21263744/ics-protect-system-infrastructure-from-rogue-data?utm_source=EG+ED+Connected+Solutions&utm_medium=email&utm_campaign=CPS230413100&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R

    Reply
  5. Tomi Engdahl says:

    2601 Series Super-Compact PCB Terminal Blocks
    WAGO’s terminal blocks with 3.5 mm pin spacing take up very little board space by connecting both vertically and horizontally to the PCB

    https://www.digikey.com/en/product-highlight/w/wago/2601-series-pcb-terminal-blocks?dclid=CN7j4Y_rt_4CFboPogMdrwIEOQ

    Reply
  6. Tomi Engdahl says:

    PUF Away For Hardware Fingerprinting
    https://hackaday.com/2023/04/17/puf-away-for-hardware-fingerprinting/

    Despite the rigorous process controls for factories, anyone who has worked on hardware can tell you that parts may look identical but are not the same. Everything from silicon defects to microscopic variations in materials can cause profoundly head-scratching effects. Perhaps one particular unit heats up faster or locks up when executing a specific sequence of instructions and we throw our hands up, saying it’s just a fact of life. But what if instead of rejecting differences that fall outside a narrow range, we could exploit those tiny differences?

    This is where physically unclonable functions (PUF) come in. A PUF is a bit of hardware that returns a value given an input, but each bit of hardware has different results despite being the same design. This often relies on silicon microstructure imperfections. Even physically uncapping the device and inspecting it, it would be incredibly difficult to reproduce the same imperfections exactly. PUFs should be like the ideal version of a fingerprint: unique and unforgeable.

    Reply
  7. Tomi Engdahl says:

    Arbitrary Code Execution Over Radio
    https://hackaday.com/2023/04/07/arbitrary-code-execution-over-radio/

    Computers connected to networks are constantly threatened by attackers who seek to exploit vulnerabilities wherever they can find them. This risk is particularly high for machines connected to the Internet, but any network connection can be susceptible to attacks. As highlighted by security researcher and consultant [Rick Osgood], even computers connected to nothing more than a radio can be vulnerable to attacks if they’re using certain digital modes of communication.

    The vulnerability that [Rick] found involves exploiting a flaw in a piece of software called WinAPRS. APRS is a method commonly used in the amateur radio community for sending data over radio, and WinAPRS allows for this functionality on a PC. He specifically sought out this program for vulnerabilities since it is closed-source and hasn’t been updated since 2013. After some analysis, he found a memory bug which was used to manipulate the Extended Instruction Pointer (EIP) register which stores the memory address of the next instruction to be executed by the CPU. This essentially allows for arbitrary code execution on a remote machine via radio.

    The exploit was found while using Windows XP because it lacks some of the more modern memory protection features of modern operating systems, but the exploit does still work with Windows 10, just not as reliably and with a bit of extra effort required.

    Hacking Ham Radio: WinAPRS – Part 1
    https://www.coalfire.com/the-coalfire-blog/hacking-ham-radio-winaprs-part1

    Reply
  8. Tomi Engdahl says:

    Just Released – Dragos’s Latest ICS/OT Cybersecurity Year in Review Is Now Available
    Dragos, Inc.
    https://www.dragos.com/blog/industry-news/2022-dragos-year-in-review-now-available/

    In 2022, breakthrough evolution in the development of malware targeting industrial control systems (ICS), scaled ransomware attacks against manufacturing, and geopolitical tensions brought increased attention to the industrial cyber threat landscape. As in previous years, the ICS/OT community has managed a growing number of vulnerabilities, many without the right mitigations needed to reduce risk and maintain operations. Meanwhile electric grids, oil and gas pipelines, water systems, and manufacturing plants continued to struggle with more complex regulatory environments that demand marked progress in shoring up defenses.

    https://hub.dragos.com/hubfs/312-Year-in-Review/2022/Dragos_Year-In-Review-Report-2022.pdf?hsLang=en

    Reply
  9. Tomi Engdahl says:

    Man-on-the-side – peculiar attack

    What is a man-on-the-side attack, and how does it differ from a man-in-the-middle attack?

    https://www.kaspersky.com/blog/man-on-the-side/47125/

    Reply
  10. Tomi Engdahl says:

    Christian Vasquez / CyberScoop:
    A group of operational technology cybersecurity vendors launches ETHOS, an open-source portal to share early warnings about threats to critical infrastructure

    Industrial security vendors partner to share intelligence about critical infrastructure threats
    https://cyberscoop.com/emerging-threat-open-sharing-industrial-cybersecurity/

    The biggest companies working in industrial cybersecurity are building an early-warning platform called ETHOS to share threat intelligence.

    Some of the largest operational technology cybersecurity vendors are building an open-sourced, opt-in threat intelligence sharing portal to provide early warnings about threats to critical infrastructure.

    The platform called Emerging THreat Open Sharing, or ETHOS, is designed to break down information gaps that occur because organizations don’t have access to the same information about the latest hacks or vulnerabilities that could affect the entire energy sector, pipeline operators or other industrial sectors.

    “The majority of the threat intelligence is contained within vendor silos,” said Andrea Carcano, co-founder and chief product officer at Nozomi Networks. “We’re not looking to be disruptive from that perspective. We’re looking to elevate the game. Your intelligence will always be limited by what you can see and it doesn’t matter how big your market share is.”

    The overall lack of visibility into critical networks has been a longstanding concern in the U.S. Due to this issue, the Biden administration has led multiple “sprints” to increase visibility among various critical industries. The ETHOS effort that includes well-known cybersecurity firms that operate in critical infrastructure space such as 1898 & Co., Dragos, Claroty, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable and Waterfall Security is one of the most significant industry initiatives to raise awareness across the entire sector.

    The OT-centric, open-source platform for sharing anonymous early warning threat information
    https://www.ethos-org.io/

    Publicly launched on April 24, 2023, ETHOS is a cooperative development in the OT security industry, with the goal of sharing data to investigate early threat indicators and discover new and novel attacks.

    Reply
  11. Tomi Engdahl says:

    New Data Sharing Platform Serves as Early Warning System for OT Security Threats
    https://www.securityweek.com/new-data-sharing-platform-serves-as-early-warning-system-for-ot-security-threats/

    Several OT cybersecurity firms have teamed up to create an information sharing platform designed to serve as an early warning system for critical infrastructure.

    Several cybersecurity companies specializing in industrial control systems (ICS) and other operational technology (OT) have teamed up to create an open source information sharing platform that is designed to serve as an early warning system for critical infrastructure.

    The new project, named ETHOS (Emerging THreat Open Sharing), is a vendor-agnostic technology platform for sharing threat information anonymously and in real time across various industries.

    The shared information includes indicators of compromise (IoCs) such as IP addresses, hashes, and domains, which can be useful to defenders for detecting new threats.

    “A real-time, open-source solution that functions almost like a hotline to correlate information from multiple security vendors to identify anomalous behaviors is the most feasible concept for reducing threat actor dwell time and discovering incidents during the reconnaissance phase of potential attacks,” the project’s initiators explained. “The goal for ETHOS is to uncover emerging threats for which there is no threat intelligence available.”

    ETHOS currently has a beta API that provides data sharing functionality, and a server is in development.

    ETHOS is designed specifically for OT/ICS, but the API can be used by any type of cybersecurity solution.

    General membership applications will be available in June 2023. Any individual, organization or security vendor can contribute to the project.

    Reply
  12. Tomi Engdahl says:

    ChatGPT writes insecure code
    https://www.malwarebytes.com/blog/news/2023/04/chatgpt-creates-not-so-secure-code-study-finds/
    Research by computer scientists associated with the Université du Québec in Canada has found that ChatGPT, OpenAI’s popular chatbot, is prone to generating insecure code. “How Secure is Code Generated by ChatGPT?” is the work of Raphaël Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara. The paper concludes that ChatGPT generates code that isn’t robust, despite claiming awareness of its vulnerabilities

    Reply
  13. Tomi Engdahl says:

    Critical Siemens RTU Vulnerability Could Allow Hackers to Destabilize Power Grid
    https://www.securityweek.com/critical-siemens-rtu-vulnerability-could-allow-hackers-to-destabilize-power-grid/

    Siemens recently patched a critical vulnerability affecting some of its energy ICS devices that could allow hackers to destabilize a power grid.

    A critical vulnerability affecting some of Siemens’ industrial control systems (ICS) designed for the energy sector could allow malicious hackers to destabilize a power grid, according to the researchers who found the security hole.

    The vulnerability, tracked as CVE-2023-28489, impacts the CPCI85 firmware of Sicam A8000 CP-8031 and CP-8050 products, and it can be exploited by an unauthenticated attacker for remote code execution. These products are remote terminal units (RTUs) designed for telecontrol and automation in the energy supply sector, particularly for substations.

    Patches are available in firmware versions CPCI85 V05 or later, and the German industrial giant also noted that the risk of exploitation can be reduced by limiting access to the web server on TCP ports 80 and 443 using a firewall.

    In an advisory published on April 11, Siemens said it learned about the flaw from a team of researchers at cybersecurity consultancy SEC Consult, which is now part of Eviden, an Atos business.

    Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek that an attacker who can exploit CVE-2023-28489 can take complete control of a device and they could potentially destabilize a power grid and possibly even cause blackouts by changing critical automation parameters. Threat actors could also leverage the vulnerability to implement backdoors.

    However, the expert noted that since these devices are mostly used in critical infrastructure environments, they are typically ‘strongly firewalled’ and are not accessible directly from the internet.

    “It cannot be ruled out though that some devices might be reachable through 3rd party support access connections or potential misconfigurations,” Greil explained.

    Exploitation of CVE-2023-28489 can allow an attacker who has network access to the targeted device to gain full root access without any prior authentication. Exploitation of the flaw involves sending a specially crafted HTTP request to the targeted RTU.

    The US Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory in April to inform organizations about the vulnerability.

    Greil pointed out that Siemens Sicam products are among the first devices in the world to receive ‘maturity level 4’ certification in the Industrial Cyber Security category. This certification, IEC62443-4-1, indicates that security was an important factor throughout the design and development process and that the product has undergone rigorous testing.

    Siemens CPCI85 Firmware of SICAM A8000 Devices
    https://www.cisa.gov/news-events/ics-advisories/icsa-23-103-07

    https://cert-portal.siemens.com/productcert/txt/ssa-472454.txt

    Automation and remote terminal units – SICAM A8000
    https://www.siemens.com/global/en/products/energy/energy-automation-and-smart-grid/substation-automation/automation-and-remote-terminal-units-sicam-a8000-series.html

    TÜV NORD carries out world’s first Maturity Level 4 certification
    https://www.tuev-nord-group.com/en/newsroom/news/details/article/tuev-nord-carries-out-worlds-first-maturity-level-4-certification/

    TÜV NORD has carried out the world’s first Maturity Level 4 certification in the IECEE scheme in the Industrial Cyber Security (CYBR) category. This testifies to the achievement by Siemens AG’s “Lean Product Lifecycle @ SI EA” system of the highest level of process maturity. This places both Siemens and TÜV NORD at the forefront of certification activities in the globally established IECEE scheme.

    “We congratulate Siemens on its terrific achievement and are pleased to have been able to make qualified use of our technical know-how and the IT expertise of our sister company TÜVIT,” says Matthias Springer, Cluster Manager for Functional Safety & Security at TÜV NORD. TÜV NORD is one of the few providers on the international market to have been accredited by both the German accreditation body (DAkkS) and the international standardisation organisation, the IECEE, to carry out all relevant validations and certifications pursuant to IEC 62443.

    IEC 62443-4-1 is part of a family of standards whose goal is to ensure IT security for industrial automation systems. Companies that use networked components, be they in the control systems for an industrial plant, the control of railway vehicles or the protection technology used in an electricity substation, must protect their communications networks from cyber attacks – and that protection must be verifiable. This is assured by means of the analysis and evaluation of security concepts, measures and product development processes. This process was successfully certified by TÜV NORD at Siemens Smart Infrastructure, Electrification & Automotion (SI EA).

    The IEC 62443 series of standards currently comprises eleven sub-standards. These cover the areas of organisation/processes, system and components alongside procedural and functional requirements. IEC 62443 thus covers the entire industrial spectrum and meets the requirements of operators, integrators and manufacturers alike.

    Reply
  14. Tomi Engdahl says:

    Why Robot Vacuums Have Cameras (and What to Know About Them) https://securityintelligence.com/articles/why-robot-vacuums-have-cameras-what-to-know/
    Robot vacuum cleaner products are by far the largest category of consumer robots. They roll around on floors, hoovering up dust and dirt so we dont have to, all while avoiding obstacles

    Reply
  15. Tomi Engdahl says:

    Google and Apple cooperate to address unwanted tracking https://www.malwarebytes.com/blog/news/2023/05/google-and-apple-take-initiative-to-address-unwanted-tracking
    Google and Apple have announced that they are looking for input from industry participants and advocacy groups on a draft specification to alert users in the event of suspected unwanted tracking. Samsung, Tile, Chipolo, eufy Security, and Pebblebee have stated that they will support the specification in future products. The specification will consist of a set of best practices and protocols for accessory manufacturers whose products have built-in location-tracking capabilities. Examples of these accessories are the Apple AirTag, Tile Mate and Pro, Samsung SmartTag, and Googles expected Grogu

    Reply
  16. Tomi Engdahl says:

    The Attack on Colonial Pipeline: What Weve Learned & What Weve Done Over the Past Two Years https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years
    Today marks two years since a watershed moment in the short but turbulent history of cybersecurity. On May 7, 2021, a ransomware attack on Colonial Pipeline captured headlines around the world with pictures of snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearful of not being able to get to work or get their kids to school

    Reply
  17. Tomi Engdahl says:

    Critical Siemens RTU Vulnerability Could Allow Hackers to Destabilize Power Grid
    https://www.securityweek.com/critical-siemens-rtu-vulnerability-could-allow-hackers-to-destabilize-power-grid/

    Siemens recently patched a critical vulnerability affecting some of its energy ICS devices that could allow hackers to destabilize a power grid.

    Reply
  18. Tomi Engdahl says:

    Hardcoded and Embedded Credentials are an IT Security Hazard – Here’s What You Need to Know
    https://www.beyondtrust.com/blog/entry/hardcoded-and-embedded-credentials-are-an-it-security-hazard-heres-what-you-need-to-know

    Embedded credentials, also often referred to as hardcoded credentials, are plain text credentials in source code. Password/credential hardcoding refers to the practice of embedding plain text (non-encrypted) credentials (account passwords, SSH Keys, DevOps secrets, etc.) into source code.

    However, the practice of hardcoding credentials is increasingly discouraged as it poses formidable security risks that are routinely exploited by malware and hackers. In some cases, a threat actor (perhaps aligned with a nation-state) may insert hardcoded credentials to create a backdoor, allowing them persistent access to a device, application, or system.

    This blog aims to provide an overview of embedded/credentials and will cover where they are commonly found, how hardcoded credentials are used, the risks they pose, the challenges of managing them, and four best practices for addressing embedded credentials across your enterprise.

    Reply
  19. Tomi Engdahl says:

    Password for embedded devices in automatic deployment
    https://security.stackexchange.com/questions/245972/password-for-embedded-devices-in-automatic-deployment

    Choosing between general and embedded passwords
    You have two kinds of passwords you can create: General and Embedded.
    https://support.itglue.com/hc/en-us/articles/360004935677-Choosing-between-general-and-embedded-passwords

    General passwords

    A general password is a password that’s created from the main Passwords section, and then usually linked as a related item to the relevant assets.

    These passwords have many uses, but should always be used whenever you have a password that can be linked to multiple assets. Think one to many relationships.

    For example, you have a password for a domain registrar (such as GoDaddy) that’s associated with several domains. You could create embedded passwords in the relevant assets instead, but each time the same data is entered more than once, it causes a drop in productivity levels and also introduces the risk of data entry error.

    Key benefits of general passwords:

    Eliminates data duplication.
    Reduces risk of accidental deletion.
    Can set security permissions on just the password itself.

    When this kind of password can be particularly useful:

    Active Directory
    Domain registrar
    DNS hosting
    Web hosting

    Embedded passwords

    An embedded password is a password that is created from within configuration items and other assets through an Embedded Passwords section on the side panel.

    You may want to use an embedded password when you have a password that can only be used in one context, such as one device. Think one-to-one relationships.

    When this kind of password may be useful:

    Administrative Web Interface (username, password, and URL) for a firewall or switch
    Local admin account on a Windows server

    Reply
  20. Tomi Engdahl says:

    Passwordless login with passkeys
    https://developers.google.com/identity/passkeys

    To create a passkey for a website or application, a user first must register with that website or application.

    Go to the application and sign in using the existing sign-in method.
    Click Create a passkey button.
    Check the information stored with the new passkey.
    Use the device screen unlock to create the passkey.

    When they return to this website or app to sign in, they can take the following steps:

    Go to the application.
    Click Sign in.
    Select their passkey.
    Use the device screen unlock to complete the login.

    The user’s device generates a signature based on the passkey. This signature is used to verify the login credential between the origin and the passkey.

    A user can sign into services on any device using a passkey, regardless of where the passkey is stored. For example, a passkey created on a mobile phone can be used to sign in to a website on a separate laptop.

    Reply
  21. Tomi Engdahl says:

    Building Automation System Exploit Brings KNX Security Back in Spotlight
    https://www.securityweek.com/building-automation-system-exploit-brings-knx-security-back-in-spotlight/

    A public exploit targeting building automation systems brings KNX security back into the spotlight, with Schneider Electric releasing a security bulletin.

    A public exploit targeting building automation systems has brought KNX security back into the spotlight, with industrial giant Schneider Electric releasing a security bulletin to warn customers about the potential risks.

    KNX is a widely used open standard for commercial and residential building automation. It can be used to control security systems, lighting, HVAC, energy management, and many other smart building systems.

    Its developers warned in 2021 that smart building installations, including ones based on KNX, had been increasingly targeted in attacks.

    In one attack reported at the time, aimed at a German engineering company, hackers had taken control of internet-exposed building automation devices and locked the victim’s employees out of the system. For unclear reasons, the attackers had bricked hundreds of automation control devices, causing the building to lose all of its smart functionality.

    In a security bulletin published late last month, Schneider Electric notified customers that it had become aware of the public availability of an exploit targeting KNX home and building automation systems.

    The PoC exploit that Schneider is warning about, published in March, targets the company’s SpaceLynk and Wiser for KNX (formerly HomeLynk) products. However, the French industrial giant said its FellerLynk products are impacted as well.

    The exploit targets two known vulnerabilities: one addressed by the vendor in February 2022 (CVE-2022-22809) and one addressed in August 2020 (CVE-2020-7525).

    Threat actors could use the vulnerabilities to access admin functionality without a password through a directory traversal, or access the administration panel through a brute-force attack.

    The hacker who made public this exploit recently also published PoCs targeting fueling systems.

    Schneider issued a warning over KNX attacks back in 2021 and now says “this new exploit brings further attention to the recommended mitigations in that security bulletin”.

    Reply
  22. Tomi Engdahl says:

    ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities
    https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-few-dozen-vulnerabilities/

    Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products.

    Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products.

    Siemens

    Siemens has published six new advisories describing 26 vulnerabilities. The company has informed customers about two critical flaws in Siveillance Video products that can be exploited for authenticated remote code execution.

    The Scalance local processing engine (LPE) is affected by one critical and four low-severity issues. The flaws can be exploited to access the underlying operating system with elevated privileges, access data, and cause a DoS condition.

    Several critical and high-severity vulnerabilities have been patched in third-party components used by the Sinec network management system.

    Reply
  23. Tomi Engdahl says:

    Smart devices: using them safely in your home https://www.ncsc.gov.uk/guidance/smart-devices-in-the-home
    Smart devices are the everyday items that connect to the internet.
    This can include both ‘hi-tech’ items (think smart speakers, fitness trackers and security cameras), and also standard household items (such as fridges, lightbulbs and doorbells). Unlike conventional household items, you can’t just switch on a smart device and forget it; you’ll need to check a few simple things to protect yourself. This page explains how to set up and manage your smart devices to keep your home – and your information – safe

    Reply
  24. Tomi Engdahl says:

    Energy Transformation via Cyber-Resilient Smart Grid https://www.trendmicro.com/en_us/research/23/e/energy-transformation-cyber-resilient-smart-grid.html
    As the need for reliable and affordable energy sources grows, countries worldwide are increasingly turning to smart grids. Smart grids revolutionize how society accesses energy, enabling higher efficiency, reliability, and cost-effective management of energy resources. But these advancements come with a risksmart grid infrastructures are highly vulnerable to cyberattacks, leading to costly consequences if left unprotected. Drawing on the Achieving Energy Transformation: Building a Cyber Resilient Smart Grid – Report released on April 2023 from TXOne Networks, a Trend Micro’s affiliated company dedicated to OT security. This blog will discuss key vulnerabilities in smart grids. It also discusses the associated cybersecurity standards and countermeasures that must be taken to protect this vital infrastructure from malicious activities

    Reply
  25. Tomi Engdahl says:

    An Overview Of Supply Chain Attacks And Protection Strategies https://www.forbes.com/sites/davidbalaban/2023/05/13/an-overview-of-supply-chain-attacks-and-protection-strategies/
    As corporations have been stepping up their security measures, hacker groups have shifted their focus toward software vendors and various system providers. The frequency of supply chain attacks has multiplied several times compared to what it was in 2020. The concept of a Supply Chain Attack revolves around hijacking an organization’s IT infrastructure via third-party vendors. By securing initial access to, say, a vendor’s code management or version control systems, attackers can disseminate their malicious software while masquerading as a legitimate application. Since the company does not have direct control over all its suppliers, it is virtually impossible to fully safeguard against such threats

    Reply
  26. Tomi Engdahl says:

    Chaining Five Vulnerabilities to Exploit Netgear Nighthawk RAX30 Routers at Pwn2Own Toronto 2022
    https://claroty.com/team82/research/chaining-five-vulnerabilities-to-exploit-netgear-nighthawk-rax30-routers-at-pwn2own-toronto-2022
    The Internet of Things (IoT) has become an increasingly popular target for cyber attacks in recent years because these devices are often poorly secured and can be easily compromised. To highlight the vulnerabilities of IoT devices and encourage better security practices from manufacturers, the Zero Day Initiative (ZDI) organized a Pwn2Own competition last fall in Toronto that focused on hacking into IoT devices such as printers, network-attached storage (NAS) devices, routers, and smart speakers. This competition brought together experienced hackers to demonstrate their skills in finding and exploiting vulnerabilities in these devices. Here, we will explore the research we conducted on the Netgear RAX30 router, below, for the Pwn2Own competition

    Reply
  27. Tomi Engdahl says:

    https://hackaday.com/2023/05/12/this-week-in-security-tpm-and-bootguard-drones-and-coverups/

    And to cap off the week’s news, Home Assistant had a nasty one, where an unauthenticated user can access the Supervisor API. The bug is a sneaky path traversal that bypasses an authentication check regex. Check it yourself, by fetching http://a.b.c.d:8123/api/hassio/app/.%252e/supervisor/info on your Home Assistant install. The fixes have been bypassed a couple of times, and it’s release 2023.03.3 that’s safe to use, for now.

    https://www.elttam.com/blog/pwnassistant/

    This write-up describes a vulnerability (CVE-2023-27482) found in Home Assistant, a popular open source home automation software. The original vulnerability was found to affect versions before 2023.3.0 where a mitigation is introduced. Bypasses were discovered which meant the vulnerable versions include Home Assistant Core 2023.3.0 and 2023.3.1 and Home Assistant Supervisor 2023.03.2. Home Assistant installations running Home Assistant Core 2023.3.2 or later, and Home Assistant Supervisor 2023.03.3 or later are not affected.
    https://github.com/elttam/publications/blob/master/writeups/home-assistant/supervisor-authentication-bypass-advisory.md

    Reply
  28. Tomi Engdahl says:

    PSA: time to recycle your old Wemo smart plugs (if you haven’t already) https://www.theverge.com/2023/5/16/23725290/wemo-smart-plug-v2-smart-home-security-vulnerability

    Security researchers at Sternum report they’ve found an exploitable vulnerability in the Wemo Smart Plug Mini V2 (via 9to5Mac). The plug debuted in 2019, offering cross-platform compatibility with Apple HomeKit, Google Assistant, and Alexa.

    The bug would let a savvy hacker gain remote command of your Wemo plug by circumventing the Wemo app with a community-made Python app called PyWeMo. Once connected, an attacker can change the device name to something with more than 30 characters, resulting in a buffer overflow that allows the attacker to inject commands remotely.

    When Sternum disclosed the vulnerability to Belkin, it was told that since the device was at the end of its life, it would not be receiving a fix. Sternum then reported the issue to not-for-profit cybersecurity org The Mitre Corporation, which then created CVE-2023-27217.

    Reply
  29. Tomi Engdahl says:

    Not An Afterthought: Security By Design
    https://www.forbes.com/sites/emilsayegh/2023/05/16/not-an-afterthought-security-by-design/

    Recent incidents such as the ChatGPT software leak and the Activision Blizzard data breach highlight the urgent need for enhanced cybersecurity measures to be built in at every level of application and software development. Security must be built into the core of any product or technological advancement during the early stages of design.

    Unfortunately, many software companies still treat cybersecurity as an afterthought.
    They often focus on developing and releasing products and services quickly with security added along the way, or even worse after everything else has been completed.

    This approach can be disastrous, as demonstrated by countless cyberattacks capitalizing on substandard security measures. These attacks serve as a reminder of how crucial it is that security is built-in from the very beginning of the development process.

    Reply
  30. Tomi Engdahl says:

    Teltonika Vulnerabilities Could Expose Thousands of Industrial Organizations to Remote Attacks
    https://www.securityweek.com/teltonika-vulnerabilities-could-expose-thousands-of-industrial-orgs-to-remote-attacks/

    Critical vulnerabilities found in Teltonika products by industrial cybersecurity firms Otorio and Claroty expose thousands of internet-exposed devices to attacks.

    Researchers at industrial cybersecurity companies Otorio and Claroty have teamed up to conduct a detailed analysis of products made by Teltonika and found potentially serious vulnerabilities that can expose many organizations to remote hacker attacks.

    Teltonika Networks is a Lithuania-based company that makes LTE routers, gateways, modems and other networking solutions that are used worldwide in the industrial, energy, utilities, smart city, transportation, enterprise, and retail sectors.

    Researchers at Otorio and Claroty have analyzed the company’s RUT241 and RUT955 cellular routers, as well as the Teltonika Remote Management System (RMS), a platform that can be deployed on-premises or in the cloud for monitoring and managing connected devices.

    The research resulted in the discovery of eight types of security holes, which the US Cybersecurity and Infrastructure Security Agency (CISA) described briefly in an advisory published on May 11.

    The vendor has been notified and it has released patches for both the RMS platform and the RUT routers.

    https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08

    Reply
  31. Tomi Engdahl says:

    CISA: Several Old Linux Vulnerabilities Exploited in Attacks
    https://www.securityweek.com/cisa-several-old-linux-vulnerabilities-exploited-in-attacks/

    Several old Linux vulnerabilities for which there are no public reports of malicious exploitation have been added to CISA’s KEV catalog

    The US Cybersecurity and Infrastructure Security Agency (CISA) has added several Linux and Linux-related flaws to its known exploited vulnerabilities (KEV) catalog.

    The agency added seven new vulnerabilities to its KEV catalog on Friday: Ruckus AP remote code execution (CVE-2023-25717), Red Hat Polkit privilege escalation (CVE-2021-3560), Linux kernel privilege escalations (CVE-2014-0196 and CVE-2010-3904), Jenkins UI information disclosure (CVE-2015-5317), Apache Tomcat remote code execution (CVE-2016-8735), and an Oracle Java SE and JRockit issue (CVE-2016-3427).

    The Ruckus product vulnerability has been exploited by a DDoS botnet named AndoryuBot.

    Reply
  32. Tomi Engdahl says:

    Toyota: Data on More Than 2 Million Vehicles in Japan Were at Risk in Decade-Long Breach
    https://www.securityweek.com/toyota-data-on-more-than-2-million-vehicles-in-japan-were-at-risk-in-decade-long-breach/

    A decade-long data breach in Toyota’s online service put some information on more than 2 million vehicles at risk.

    Reply
  33. Tomi Engdahl says:

    This New Era of Security Requires Secure Networking, Vendor Consolidation, and Focus on OT
    https://www.securityweek.com/this-new-era-of-security-requires-secure-networking-vendor-consolidation-and-a-focus-on-ot/

    The convergence of networking and security, the consolidation of technology vendors, and a focus on OT security are essential underpinnings of any organization’s success.

    Reply
  34. Tomi Engdahl says:

    The problem isn’t new, but the product may be too old for the manufacturer to bother fixing—however, there are some other work-arounds that can address this issue.

    Wemo won’t fix Smart Plug vulnerability allowing remote operation
    https://arstechnica.com/gadgets/2023/05/wemo-wont-fix-smart-plug-vulnerability-allowing-remote-operation/?utm_brand=ars&utm_medium=social&utm_social-type=owned&utm_source=facebook

    Tricking a plug with a too-long name could lead to buffer overflows, injections.

    IoT security research firm Sternum has discovered (and disclosed) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. The firm’s blog post is full of interesting details about how this device works (and doesn’t), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit—a limit enforced solely by Wemo’s own apps—with third-party tools. Inside that overflow you could inject operable code. If your Wemo is connected to the wider Internet, it could be compromised remotely.

    https://sternumiot.com/iot-blog/mini-smart-plug-v2-vulnerability-buffer-overflow/

    Reply
  35. Tomi Engdahl says:

    Energy Transformation via Cyber-Resilient Smart Grid
    https://www.trendmicro.com/en_us/research/23/e/energy-transformation-cyber-resilient-smart-grid.html

    Learn more about smart grid vulnerabilities and how organizations can future-proof their enterprises

    As the need for reliable and affordable energy sources grows, countries worldwide are increasingly turning to smart grids. Smart grids revolutionize how society accesses energy, enabling higher efficiency, reliability, and cost-effective management of energy resources. But these advancements come with a risk—smart grid infrastructures are highly vulnerable to cyberattacks, leading to costly consequences if left unprotected.

    Drawing on the Achieving Energy Transformation: Building a Cyber Resilient Smart Grid

    Report released on April 2023 from TXOne Networks, a Trend Micro’s affiliated company dedicated to OT security. This blog will discuss key vulnerabilities in smart grids. It also discusses the associated cybersecurity standards and countermeasures that must be taken to protect this vital infrastructure from malicious activities.

    Renewable power generation

    Renewable power generation, such as wind and solar, plays a critical role in the smart grid, but they also introduce new vulnerabilities that attackers can exploit. The following are some of the vulnerabilities associated with renewable power generation:

    Vulnerabilities in Wind Power Control Equipment: Wind turbines are controlled by industrial control systems that may have vulnerabilities that attackers can exploit. For example, attackers could manipulate the control systems to change the output of the wind turbines, causing imbalances in the grid and potentially leading to blackouts.
    Vulnerabilities in Solar Power Generation: Solar power generation systems also rely on industrial control systems, which may have vulnerabilities that attackers can exploit. For example, attackers could manipulate the control systems to cause the solar panels to overproduce or underproduce energy, causing imbalances in the grid.

    Distribution Automation (DA) and Feeder Automation (FA)

    These are critical components of the smart grid that automate power distribution from the substation to customers. However, they are also vulnerable to attacks due to the following reasons:

    Insecure Industrial Control Protocols: DA and FA systems use industrial control protocols that may not have security features, making them vulnerable to attacks. For example, attackers could use unauthenticated commands to manipulate the DA and FA systems, causing power outages or other disruptions.
    Risk of Remote Service Vulnerabilities: Many DA and FA systems are connected to remote services, such as cloud-based applications, which can be vulnerable to attacks. Attackers could exploit vulnerabilities in these remote services to gain access to the DA and FA systems and cause disruptions.

    Energy Storage System Management

    It is an essential component of the smart grid that enables the storage of excess energy from renewable sources for later use. However, they are also vulnerable to attacks due to the following reasons:

    Insecure Communication Protocols: Energy storage systems use communication protocols to communicate with other smart grid components. These protocols may not have security features, making them vulnerable to attacks. For example, attackers could intercept the communication between the energy storage system and other smart grid components, leading to unauthorized access or control of the system.
    Physical Security Risks: Energy storage systems may be located in remote or unsecured locations, making them vulnerable to physical attacks. Attackers could damage or destroy the energy storage systems, leading to power outages or other disruptions.

    Advanced Metering Infrastructure (AMI) Management System

    This is another critical component of the smart grid that enables collecting and transmitting energy usage data from smart meters to utilities. However, they are also vulnerable to attacks due to the following reasons:

    Insecure Communication Protocols: AMI systems use communication protocols to transmit data between smart meters and utilities. These protocols may not have security features, making them vulnerable to attacks. For example, attackers could intercept the communication between the smart meters and utilities, leading to unauthorized access or control of the system.
    Unauthorized Access: AMI systems may be accessible to unauthorized personnel, making them vulnerable to attacks. Attackers could gain physical access to the AMI systems and tamper with the smart meters or the data collected by the system.

    Addressing these vulnerabilities is crucial for the resilience and security of the smart grid. Implementing robust cybersecurity measures can significantly mitigate these vulnerabilities and safeguard against cyber threats.

    Reply
  36. Tomi Engdahl says:

    Air-Gapped Networks (Part 2): Moving Information
    May 11, 2023
    The ability to import, export, transport, and share information is extremely important, even for air-gapped networks.
    https://www.electronicdesign.com/technologies/industrial/article/21265747/digistor-airgapped-networks-part-2-moving-information?utm_source=EG+ED+Connected+Solutions&utm_medium=email&utm_campaign=CPS230504075&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R

    Reply
  37. Tomi Engdahl says:

    New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
    https://www.securityweek.com/new-honeywell-ot-cybersecurity-solution-helps-identify-vulnerabilities-threats/

    Honeywell announces the launch of Cyber Insights, a solution designed to help organizations identify vulnerabilities and threats in their OT environments.

    Honeywell on Tuesday announced the launch of a new OT cybersecurity solution designed to help organizations identify vulnerabilities and threats in their facilities.

    Part of its Forge cybersecurity offering, the new Cyber Insights solution collects data from Honeywell products and various existing third-party security solutions, including data on vulnerabilities, security events, potential threats, and compliance issues.

    The generated data can be used for OT-specific threat hunting and for conducting investigations.

    The on-premises solution includes subscription software installed in the OT environment, a one-time deployment service, and technical support services.

    Cyber Insights provides curated near real-time and historical information that can be leveraged by on-site staff. Alternatively, organizations can forward the log data to an off-site SOC or to a managed security services provider, such as Honeywell.

    Honeywell pointed out that since the new solution is specifically designed for OT systems, it checks the system load and the analysis and correlation of the collected data is done on a dedicated server instead of the OT assets themselves in order to avoid causing any disruption.

    In terms of compliance, Cyber Insights is designed to monitor assets against user-defined policies, CIS benchmarks, and NIST 800-53 requirements.

    https://www.honeywellforge.ai/us/en/solutions/products/ot-cybersecurity/cyber-insights

    Reply
  38. Tomi Engdahl says:

    What Wireless Network Standards Will Rule the Smart Home?
    May 18, 2023
    Wireless network protocols that are available for smart-home applications today won’t necessarily be the most widely adopted in the future. Here’s a look at Zigbee, Bluetooth, Wi-Fi, Matter, and Thread.
    https://www.electronicdesign.com/technologies/communications/article/21266261/insight-sip-what-wireless-network-standards-will-rule-the-smart-home?utm_source=EG+ED+Update:+Power+and+Analog&utm_medium=email&utm_campaign=CPS230519042&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R

    Reply
  39. Tomi Engdahl says:

    USA ja Microsoft varoittavat: Kiinaan liitetty kyberryhmä tunkeutui kriittisiin järjestelmiin https://www.hs.fi/ulkomaat/art-2000009609582.html
    Yhdysvallat, useat sen liittolaismaat ja laitevalmistaja Microsoft varoittavat, että Kiinan valtioon liitetty kybertoimija Volt Typhoon on onnistunut tunkeutumaan Yhdysvaltain kriittiseen infrastruktuuriin verkossa, ja että vastaavaa toimintaa voi olla käynnissä muissakin maissa. Yhdysvaltojen, Britannian, Kanadan, Australian ja Uuden-Seelannin viranomaiset kertoivat havainnosta yhteisessä kyberturvallisuuden tiedonannossaan

    Reply
  40. Tomi Engdahl says:

    New Russian-linked CosmicEnergy malware targets industrial systems https://www.bleepingcomputer.com/news/security/new-russian-linked-cosmicenergy-malware-targets-industrial-systems/
    Mandiant security researchers have discovered a new malware called CosmicEnergy designed to disrupt industrial systems and linked to Russian cybersecurity outfit Rostelecom-Solar (formerly Solar Security). The malware specifically targets IEC-104-compliant remote terminal units (RTUs) commonly used in electric transmission and distribution operations across Europe, the Middle East, and Asia

    Reply
  41. Tomi Engdahl says:

    Cyberwarfare
    Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
    https://www.securityweek.com/microsoft-catches-chinese-gov-hackers-in-guam-critical-infrastructure-orgs/

    In a campaign called Volt Typhoon, Microsoft says Chinese government hackers were siphoning data from critical infrastructure organizations in Guam, a U.S. territory in the Pacific Ocean.
    Rohan Goswami / CNBC:
    Microsoft says Chinese state-sponsored hackers compromised “critical infrastructure organizations” across US industries, with a focus on gathering intelligence — – Chinese state-sponsored hackers have compromised “critical” cyber infrastructure in a variety of industries …
    Microsoft warns that China hackers attacked U.S. infrastructure
    https://www.cnbc.com/2023/05/24/microsoft-warns-that-china-hackers-attacked-us-infrastructure.html
    Chinese state-sponsored hackers have compromised “critical” cyber infrastructure in a variety of industries, including government and communications organizations, Microsoft said Wednesday.
    The hacking group is codenamed”Volt Typhoon,” and has been in operation since 2021.
    Impacted parties have already been notified.

    Reply
  42. Tomi Engdahl says:

    MedTech devices and connectivity – exciting opportunities, tightening regulations
    https://www.etteplan.com/stories/medtech-connectivity-exciting-opportunities-tightening-regulations

    The requirements placed on MedTech products with connectivity are increasing. This is due to regulations such as the European Union’s Medical Device Regulation (MDR), the new Data Act, and stricter cyber security requirements in health care.

    Reply
  43. Tomi Engdahl says:

    Google Issues Android TV Security Warning https://www.forbes.com/sites/daveywinder/2023/05/30/google-issues-security-warning-for-android-tv-users/

    Google has issued a warning to users of Android TV OS devices to be aware that some TV boxes are not what they appear, certainly when it comes to the security implications for their users.

    In an official Google Android TV OS support forum posting, a Google employee confirms that the company has “recently received questions regarding TV boxes that are built with Android Open Source Project and are being marketed to appear as Android TV OS devices.”

    However, as we all know, appearances can be deceptive. Even though, the warning continues, these may have Google apps and even the Play Store installed, that doesn’t mean these are licensed by Google. Which means, it continues, “these devices are not Play Protect certified.”

    Alkup.
    https://support.google.com/androidtv/thread/217840369?hl=en&sjid=6644248032415929751-NA

    Reply
  44. Tomi Engdahl says:

    Medical devices with connectivity features improve patient care greatly. However, connectivity also presents a vulnerability to cybersecurity incidents. This article goes into detail about the growing market of connected medical devices and the constraints posed by cybersecurity requirements and regulations.

    #IoMT #MedicalDevices #HealthTech #EngineeringWithADifference

    https://www.etteplan.com/stories/medtech-connectivity-exciting-opportunities-tightening-regulations?utm_source=facebook&utm_medium=paid&utm_campaign=SES_Medtech_23-05-06_en&utm_content=article_medtech-connectivity-exciting-opportunities-tightening-regulations&fbclid=IwAR2zyK6yF5eeZDwevUuulOc1fsmsVVn4Lwai7EBOwxUiLRUqYRTVHYCLOy4_aem_th_AUwwgfnj5km7c-ABHw_ITErXH5Wrg4EfNdvJMBDxnJIgGxmB2UP_1AWzIw9QhENqSFIBKM0uT_HBl8a_OafVyY1c

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*