https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,735 Comments
Tomi Engdahl says:
https://bgnetworks.com/8-cybersecurity-steps-when-designing-an-iot-device-a-checklist/
https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/iot/iot-tool-how-to-guide
Tomi Engdahl says:
https://www.paloaltonetworks.com/cyberpedia/what-is-iot-security
Tomi Engdahl says:
https://www.redhat.com/sysadmin/linux-security-aide
https://aide.github.io/
Tomi Engdahl says:
https://www.rigolna.com/optimizing-signal-integrity-in-iot-designs–debug-and-analysis-considerations/?utm_source=ED&utm_medium=personif&utm_campaign=Signal
Tomi Engdahl says:
U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches https://www.cisa.gov/news-events/news/us-and-international-partners-publish-secure-design-and-default-principles-and-approaches
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands,. and New Zealand (CERT NZ, NCSC-NZ) published today “Shifting the Balance of Cybersecurity Risk:
Principles and Approaches for Security-by-Design and -Default.”. This joint guidance urges software manufacturers to take urgent steps necessary to ship products that are secure-by-design and -default. To create a future where technology and associated products are safe for customers,. the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and
- -default products to be shipped to customers.
Tomi Engdahl says:
Press Release
U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches
https://www.cisa.gov/news-events/news/us-and-international-partners-publish-secure-design-and-default-principles-and-approaches
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand (CERT NZ, NCSC-NZ
) published today “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.” This joint guidance urges software manufacturers to take urgent steps necessary to ship products that are secure-by-design and -default. To create a future where technology and associated products are safe for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only secure-by-design and -default products to be shipped to customers.
This guidance, the first of its kind, is intended to catalyze progress toward further investments and cultural shifts necessary to achieve a safe and secure future. In addition to specific technical recommendations, this guidance outlines several core principles to guide software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products, including:
Take ownership of the security outcomes of their technology products, shifting the burden of security from the customers. A secure configuration should be the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors.
Embrace radical transparency and accountability—for example, by ensuring vulnerability advisories and associated common vulnerability and exposure (CVE) records are complete and accurate.
Build the right organizational structure by providing executive level commitment for software manufacturers to prioritize security as a critical element of product development.
“Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,”
“Cyber security cannot be an afterthought,” said Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre. “Consumers deserve products that are secure from the outset. Strong and ongoing engagement between government, industry and the public is vital to putting cyber security at the centre of the technology design process.”
Secure by Design, Secure by Default
https://www.cisa.gov/securebydesign
It’s time to build cybersecurity into the design and manufacture of technology products.
Find out here what it means to be secure by design and secure by default.
As America’s Cyber Defense Agency, CISA is charged with defending our nation against ever-evolving cyber threats and to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. But, as we introduce more unsafe technology to our lives, this has become increasingly difficult.
Government cannot solve this problem alone. Technology manufacturers must increasingly embrace their role in putting consumer safety first. Technology providers and software developers must take the first step to shift this burden by claiming ownership of their customers’ security outcomes.
What it Means to Be Secure by Design and Secure by Default
Every technology provider must take ownership at the executive level to ensure their products are both secure by design and secure by default.
What is Secure by Design?
Secure by Design products are those where the security of the customers is a core business requirement, not just a technical feature. Secure by Design principles should be implemented during the design phase of a product’s development lifecycle to dramatically reduce the number of exploitable flaws before they are introduced to the market for broad use or consumption.
What is Secure by Default?
Secure by Default products are those that are secure to use out of the box, with little to no configuration changes and are available at no additional cost, such as multi-factor authentication (MFA), gather and log evidence of potential intrusions, and control access to sensitive information.
Tomi Engdahl says:
CISA Introduces Secure-by-design and Secure-by-default Development Principles
https://www.securityweek.com/cisa-introduces-secure-by-design-and-secure-by-default-development-principles/
CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.
CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.
Pillar Three of the National Cybersecurity Strategy published on March 1, 2023 is titled ‘Shape market forces to drive security and resilience’. Within this section the Administration makes two points very clear. Firstly, security liability must be shifted away from the use of security products to the development of security products; and secondly, federal procurement power will be used to encourage this shift.
Both points were previewed in a speech given by CISA director Jen Easterly at Carnegie Mellon days earlier (February 27, 2023). She noted that insecurity has become normalized, and that the onus is currently on the user to make use of products less risky. She said this must change, so that the user is forced into making usage more rather than less risky.
Tomi Engdahl says:
ICs Protect System Infrastructure from Rogue Data
April 19, 2023
The MAXQ1065 ultra-low-power cryptographic controller with ChipDNA for embedded devices offers cryptographic functions for root of trust, authentication, secure boot and firmware updates, encryption, and TLS support.
https://www.electronicdesign.com/technologies/embedded/security/video/21263744/ics-protect-system-infrastructure-from-rogue-data?utm_source=EG+ED+Connected+Solutions&utm_medium=email&utm_campaign=CPS230413100&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R
Tomi Engdahl says:
2601 Series Super-Compact PCB Terminal Blocks
WAGO’s terminal blocks with 3.5 mm pin spacing take up very little board space by connecting both vertically and horizontally to the PCB
https://www.digikey.com/en/product-highlight/w/wago/2601-series-pcb-terminal-blocks?dclid=CN7j4Y_rt_4CFboPogMdrwIEOQ
Tomi Engdahl says:
PUF Away For Hardware Fingerprinting
https://hackaday.com/2023/04/17/puf-away-for-hardware-fingerprinting/
Despite the rigorous process controls for factories, anyone who has worked on hardware can tell you that parts may look identical but are not the same. Everything from silicon defects to microscopic variations in materials can cause profoundly head-scratching effects. Perhaps one particular unit heats up faster or locks up when executing a specific sequence of instructions and we throw our hands up, saying it’s just a fact of life. But what if instead of rejecting differences that fall outside a narrow range, we could exploit those tiny differences?
This is where physically unclonable functions (PUF) come in. A PUF is a bit of hardware that returns a value given an input, but each bit of hardware has different results despite being the same design. This often relies on silicon microstructure imperfections. Even physically uncapping the device and inspecting it, it would be incredibly difficult to reproduce the same imperfections exactly. PUFs should be like the ideal version of a fingerprint: unique and unforgeable.
Tomi Engdahl says:
Arbitrary Code Execution Over Radio
https://hackaday.com/2023/04/07/arbitrary-code-execution-over-radio/
Computers connected to networks are constantly threatened by attackers who seek to exploit vulnerabilities wherever they can find them. This risk is particularly high for machines connected to the Internet, but any network connection can be susceptible to attacks. As highlighted by security researcher and consultant [Rick Osgood], even computers connected to nothing more than a radio can be vulnerable to attacks if they’re using certain digital modes of communication.
The vulnerability that [Rick] found involves exploiting a flaw in a piece of software called WinAPRS. APRS is a method commonly used in the amateur radio community for sending data over radio, and WinAPRS allows for this functionality on a PC. He specifically sought out this program for vulnerabilities since it is closed-source and hasn’t been updated since 2013. After some analysis, he found a memory bug which was used to manipulate the Extended Instruction Pointer (EIP) register which stores the memory address of the next instruction to be executed by the CPU. This essentially allows for arbitrary code execution on a remote machine via radio.
The exploit was found while using Windows XP because it lacks some of the more modern memory protection features of modern operating systems, but the exploit does still work with Windows 10, just not as reliably and with a bit of extra effort required.
Hacking Ham Radio: WinAPRS – Part 1
https://www.coalfire.com/the-coalfire-blog/hacking-ham-radio-winaprs-part1
Tomi Engdahl says:
Just Released – Dragos’s Latest ICS/OT Cybersecurity Year in Review Is Now Available
Dragos, Inc.
https://www.dragos.com/blog/industry-news/2022-dragos-year-in-review-now-available/
In 2022, breakthrough evolution in the development of malware targeting industrial control systems (ICS), scaled ransomware attacks against manufacturing, and geopolitical tensions brought increased attention to the industrial cyber threat landscape. As in previous years, the ICS/OT community has managed a growing number of vulnerabilities, many without the right mitigations needed to reduce risk and maintain operations. Meanwhile electric grids, oil and gas pipelines, water systems, and manufacturing plants continued to struggle with more complex regulatory environments that demand marked progress in shoring up defenses.
https://hub.dragos.com/hubfs/312-Year-in-Review/2022/Dragos_Year-In-Review-Report-2022.pdf?hsLang=en
Tomi Engdahl says:
https://www.schneier.com/blog/archives/2023/02/what-will-it-take.html
Tomi Engdahl says:
Man-on-the-side – peculiar attack
What is a man-on-the-side attack, and how does it differ from a man-in-the-middle attack?
https://www.kaspersky.com/blog/man-on-the-side/47125/
Tomi Engdahl says:
Christian Vasquez / CyberScoop:
A group of operational technology cybersecurity vendors launches ETHOS, an open-source portal to share early warnings about threats to critical infrastructure
Industrial security vendors partner to share intelligence about critical infrastructure threats
https://cyberscoop.com/emerging-threat-open-sharing-industrial-cybersecurity/
The biggest companies working in industrial cybersecurity are building an early-warning platform called ETHOS to share threat intelligence.
Some of the largest operational technology cybersecurity vendors are building an open-sourced, opt-in threat intelligence sharing portal to provide early warnings about threats to critical infrastructure.
The platform called Emerging THreat Open Sharing, or ETHOS, is designed to break down information gaps that occur because organizations don’t have access to the same information about the latest hacks or vulnerabilities that could affect the entire energy sector, pipeline operators or other industrial sectors.
“The majority of the threat intelligence is contained within vendor silos,” said Andrea Carcano, co-founder and chief product officer at Nozomi Networks. “We’re not looking to be disruptive from that perspective. We’re looking to elevate the game. Your intelligence will always be limited by what you can see and it doesn’t matter how big your market share is.”
The overall lack of visibility into critical networks has been a longstanding concern in the U.S. Due to this issue, the Biden administration has led multiple “sprints” to increase visibility among various critical industries. The ETHOS effort that includes well-known cybersecurity firms that operate in critical infrastructure space such as 1898 & Co., Dragos, Claroty, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable and Waterfall Security is one of the most significant industry initiatives to raise awareness across the entire sector.
The OT-centric, open-source platform for sharing anonymous early warning threat information
https://www.ethos-org.io/
Publicly launched on April 24, 2023, ETHOS is a cooperative development in the OT security industry, with the goal of sharing data to investigate early threat indicators and discover new and novel attacks.
Tomi Engdahl says:
New Data Sharing Platform Serves as Early Warning System for OT Security Threats
https://www.securityweek.com/new-data-sharing-platform-serves-as-early-warning-system-for-ot-security-threats/
Several OT cybersecurity firms have teamed up to create an information sharing platform designed to serve as an early warning system for critical infrastructure.
Several cybersecurity companies specializing in industrial control systems (ICS) and other operational technology (OT) have teamed up to create an open source information sharing platform that is designed to serve as an early warning system for critical infrastructure.
The new project, named ETHOS (Emerging THreat Open Sharing), is a vendor-agnostic technology platform for sharing threat information anonymously and in real time across various industries.
The shared information includes indicators of compromise (IoCs) such as IP addresses, hashes, and domains, which can be useful to defenders for detecting new threats.
“A real-time, open-source solution that functions almost like a hotline to correlate information from multiple security vendors to identify anomalous behaviors is the most feasible concept for reducing threat actor dwell time and discovering incidents during the reconnaissance phase of potential attacks,” the project’s initiators explained. “The goal for ETHOS is to uncover emerging threats for which there is no threat intelligence available.”
ETHOS currently has a beta API that provides data sharing functionality, and a server is in development.
ETHOS is designed specifically for OT/ICS, but the API can be used by any type of cybersecurity solution.
General membership applications will be available in June 2023. Any individual, organization or security vendor can contribute to the project.
Tomi Engdahl says:
ChatGPT writes insecure code
https://www.malwarebytes.com/blog/news/2023/04/chatgpt-creates-not-so-secure-code-study-finds/
Research by computer scientists associated with the Université du Québec in Canada has found that ChatGPT, OpenAI’s popular chatbot, is prone to generating insecure code. “How Secure is Code Generated by ChatGPT?” is the work of Raphaël Khoury, Anderson Avila, Jacob Brunelle, and Baba Mamadou Camara. The paper concludes that ChatGPT generates code that isn’t robust, despite claiming awareness of its vulnerabilities
Tomi Engdahl says:
Critical Siemens RTU Vulnerability Could Allow Hackers to Destabilize Power Grid
https://www.securityweek.com/critical-siemens-rtu-vulnerability-could-allow-hackers-to-destabilize-power-grid/
Siemens recently patched a critical vulnerability affecting some of its energy ICS devices that could allow hackers to destabilize a power grid.
A critical vulnerability affecting some of Siemens’ industrial control systems (ICS) designed for the energy sector could allow malicious hackers to destabilize a power grid, according to the researchers who found the security hole.
The vulnerability, tracked as CVE-2023-28489, impacts the CPCI85 firmware of Sicam A8000 CP-8031 and CP-8050 products, and it can be exploited by an unauthenticated attacker for remote code execution. These products are remote terminal units (RTUs) designed for telecontrol and automation in the energy supply sector, particularly for substations.
Patches are available in firmware versions CPCI85 V05 or later, and the German industrial giant also noted that the risk of exploitation can be reduced by limiting access to the web server on TCP ports 80 and 443 using a firewall.
In an advisory published on April 11, Siemens said it learned about the flaw from a team of researchers at cybersecurity consultancy SEC Consult, which is now part of Eviden, an Atos business.
Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek that an attacker who can exploit CVE-2023-28489 can take complete control of a device and they could potentially destabilize a power grid and possibly even cause blackouts by changing critical automation parameters. Threat actors could also leverage the vulnerability to implement backdoors.
However, the expert noted that since these devices are mostly used in critical infrastructure environments, they are typically ‘strongly firewalled’ and are not accessible directly from the internet.
“It cannot be ruled out though that some devices might be reachable through 3rd party support access connections or potential misconfigurations,” Greil explained.
Exploitation of CVE-2023-28489 can allow an attacker who has network access to the targeted device to gain full root access without any prior authentication. Exploitation of the flaw involves sending a specially crafted HTTP request to the targeted RTU.
The US Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory in April to inform organizations about the vulnerability.
Greil pointed out that Siemens Sicam products are among the first devices in the world to receive ‘maturity level 4’ certification in the Industrial Cyber Security category. This certification, IEC62443-4-1, indicates that security was an important factor throughout the design and development process and that the product has undergone rigorous testing.
Siemens CPCI85 Firmware of SICAM A8000 Devices
https://www.cisa.gov/news-events/ics-advisories/icsa-23-103-07
https://cert-portal.siemens.com/productcert/txt/ssa-472454.txt
Automation and remote terminal units – SICAM A8000
https://www.siemens.com/global/en/products/energy/energy-automation-and-smart-grid/substation-automation/automation-and-remote-terminal-units-sicam-a8000-series.html
TÜV NORD carries out world’s first Maturity Level 4 certification
https://www.tuev-nord-group.com/en/newsroom/news/details/article/tuev-nord-carries-out-worlds-first-maturity-level-4-certification/
TÜV NORD has carried out the world’s first Maturity Level 4 certification in the IECEE scheme in the Industrial Cyber Security (CYBR) category. This testifies to the achievement by Siemens AG’s “Lean Product Lifecycle @ SI EA” system of the highest level of process maturity. This places both Siemens and TÜV NORD at the forefront of certification activities in the globally established IECEE scheme.
“We congratulate Siemens on its terrific achievement and are pleased to have been able to make qualified use of our technical know-how and the IT expertise of our sister company TÜVIT,” says Matthias Springer, Cluster Manager for Functional Safety & Security at TÜV NORD. TÜV NORD is one of the few providers on the international market to have been accredited by both the German accreditation body (DAkkS) and the international standardisation organisation, the IECEE, to carry out all relevant validations and certifications pursuant to IEC 62443.
IEC 62443-4-1 is part of a family of standards whose goal is to ensure IT security for industrial automation systems. Companies that use networked components, be they in the control systems for an industrial plant, the control of railway vehicles or the protection technology used in an electricity substation, must protect their communications networks from cyber attacks – and that protection must be verifiable. This is assured by means of the analysis and evaluation of security concepts, measures and product development processes. This process was successfully certified by TÜV NORD at Siemens Smart Infrastructure, Electrification & Automotion (SI EA).
The IEC 62443 series of standards currently comprises eleven sub-standards. These cover the areas of organisation/processes, system and components alongside procedural and functional requirements. IEC 62443 thus covers the entire industrial spectrum and meets the requirements of operators, integrators and manufacturers alike.
Tomi Engdahl says:
Why Robot Vacuums Have Cameras (and What to Know About Them) https://securityintelligence.com/articles/why-robot-vacuums-have-cameras-what-to-know/
Robot vacuum cleaner products are by far the largest category of consumer robots. They roll around on floors, hoovering up dust and dirt so we dont have to, all while avoiding obstacles
Tomi Engdahl says:
Google and Apple cooperate to address unwanted tracking https://www.malwarebytes.com/blog/news/2023/05/google-and-apple-take-initiative-to-address-unwanted-tracking
Google and Apple have announced that they are looking for input from industry participants and advocacy groups on a draft specification to alert users in the event of suspected unwanted tracking. Samsung, Tile, Chipolo, eufy Security, and Pebblebee have stated that they will support the specification in future products. The specification will consist of a set of best practices and protocols for accessory manufacturers whose products have built-in location-tracking capabilities. Examples of these accessories are the Apple AirTag, Tile Mate and Pro, Samsung SmartTag, and Googles expected Grogu
Tomi Engdahl says:
The Attack on Colonial Pipeline: What Weve Learned & What Weve Done Over the Past Two Years https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years
Today marks two years since a watershed moment in the short but turbulent history of cybersecurity. On May 7, 2021, a ransomware attack on Colonial Pipeline captured headlines around the world with pictures of snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearful of not being able to get to work or get their kids to school
Tomi Engdahl says:
Critical Siemens RTU Vulnerability Could Allow Hackers to Destabilize Power Grid
https://www.securityweek.com/critical-siemens-rtu-vulnerability-could-allow-hackers-to-destabilize-power-grid/
Siemens recently patched a critical vulnerability affecting some of its energy ICS devices that could allow hackers to destabilize a power grid.
Tomi Engdahl says:
Hardcoded and Embedded Credentials are an IT Security Hazard – Here’s What You Need to Know
https://www.beyondtrust.com/blog/entry/hardcoded-and-embedded-credentials-are-an-it-security-hazard-heres-what-you-need-to-know
Embedded credentials, also often referred to as hardcoded credentials, are plain text credentials in source code. Password/credential hardcoding refers to the practice of embedding plain text (non-encrypted) credentials (account passwords, SSH Keys, DevOps secrets, etc.) into source code.
However, the practice of hardcoding credentials is increasingly discouraged as it poses formidable security risks that are routinely exploited by malware and hackers. In some cases, a threat actor (perhaps aligned with a nation-state) may insert hardcoded credentials to create a backdoor, allowing them persistent access to a device, application, or system.
This blog aims to provide an overview of embedded/credentials and will cover where they are commonly found, how hardcoded credentials are used, the risks they pose, the challenges of managing them, and four best practices for addressing embedded credentials across your enterprise.
Tomi Engdahl says:
Password for embedded devices in automatic deployment
https://security.stackexchange.com/questions/245972/password-for-embedded-devices-in-automatic-deployment
Choosing between general and embedded passwords
You have two kinds of passwords you can create: General and Embedded.
https://support.itglue.com/hc/en-us/articles/360004935677-Choosing-between-general-and-embedded-passwords
General passwords
A general password is a password that’s created from the main Passwords section, and then usually linked as a related item to the relevant assets.
These passwords have many uses, but should always be used whenever you have a password that can be linked to multiple assets. Think one to many relationships.
For example, you have a password for a domain registrar (such as GoDaddy) that’s associated with several domains. You could create embedded passwords in the relevant assets instead, but each time the same data is entered more than once, it causes a drop in productivity levels and also introduces the risk of data entry error.
Key benefits of general passwords:
Eliminates data duplication.
Reduces risk of accidental deletion.
Can set security permissions on just the password itself.
When this kind of password can be particularly useful:
Active Directory
Domain registrar
DNS hosting
Web hosting
Embedded passwords
An embedded password is a password that is created from within configuration items and other assets through an Embedded Passwords section on the side panel.
You may want to use an embedded password when you have a password that can only be used in one context, such as one device. Think one-to-one relationships.
When this kind of password may be useful:
Administrative Web Interface (username, password, and URL) for a firewall or switch
Local admin account on a Windows server
Tomi Engdahl says:
Passwordless login with passkeys
https://developers.google.com/identity/passkeys
To create a passkey for a website or application, a user first must register with that website or application.
Go to the application and sign in using the existing sign-in method.
Click Create a passkey button.
Check the information stored with the new passkey.
Use the device screen unlock to create the passkey.
When they return to this website or app to sign in, they can take the following steps:
Go to the application.
Click Sign in.
Select their passkey.
Use the device screen unlock to complete the login.
The user’s device generates a signature based on the passkey. This signature is used to verify the login credential between the origin and the passkey.
A user can sign into services on any device using a passkey, regardless of where the passkey is stored. For example, a passkey created on a mobile phone can be used to sign in to a website on a separate laptop.
Tomi Engdahl says:
Building Automation System Exploit Brings KNX Security Back in Spotlight
https://www.securityweek.com/building-automation-system-exploit-brings-knx-security-back-in-spotlight/
A public exploit targeting building automation systems brings KNX security back into the spotlight, with Schneider Electric releasing a security bulletin.
A public exploit targeting building automation systems has brought KNX security back into the spotlight, with industrial giant Schneider Electric releasing a security bulletin to warn customers about the potential risks.
KNX is a widely used open standard for commercial and residential building automation. It can be used to control security systems, lighting, HVAC, energy management, and many other smart building systems.
Its developers warned in 2021 that smart building installations, including ones based on KNX, had been increasingly targeted in attacks.
In one attack reported at the time, aimed at a German engineering company, hackers had taken control of internet-exposed building automation devices and locked the victim’s employees out of the system. For unclear reasons, the attackers had bricked hundreds of automation control devices, causing the building to lose all of its smart functionality.
In a security bulletin published late last month, Schneider Electric notified customers that it had become aware of the public availability of an exploit targeting KNX home and building automation systems.
The PoC exploit that Schneider is warning about, published in March, targets the company’s SpaceLynk and Wiser for KNX (formerly HomeLynk) products. However, the French industrial giant said its FellerLynk products are impacted as well.
The exploit targets two known vulnerabilities: one addressed by the vendor in February 2022 (CVE-2022-22809) and one addressed in August 2020 (CVE-2020-7525).
Threat actors could use the vulnerabilities to access admin functionality without a password through a directory traversal, or access the administration panel through a brute-force attack.
The hacker who made public this exploit recently also published PoCs targeting fueling systems.
Schneider issued a warning over KNX attacks back in 2021 and now says “this new exploit brings further attention to the recommended mitigations in that security bulletin”.
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-few-dozen-vulnerabilities/
Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products.
Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products.
Siemens
Siemens has published six new advisories describing 26 vulnerabilities. The company has informed customers about two critical flaws in Siveillance Video products that can be exploited for authenticated remote code execution.
The Scalance local processing engine (LPE) is affected by one critical and four low-severity issues. The flaws can be exploited to access the underlying operating system with elevated privileges, access data, and cause a DoS condition.
Several critical and high-severity vulnerabilities have been patched in third-party components used by the Sinec network management system.
Tomi Engdahl says:
Smart devices: using them safely in your home https://www.ncsc.gov.uk/guidance/smart-devices-in-the-home
Smart devices are the everyday items that connect to the internet.
This can include both ‘hi-tech’ items (think smart speakers, fitness trackers and security cameras), and also standard household items (such as fridges, lightbulbs and doorbells). Unlike conventional household items, you can’t just switch on a smart device and forget it; you’ll need to check a few simple things to protect yourself. This page explains how to set up and manage your smart devices to keep your home – and your information – safe
Tomi Engdahl says:
Energy Transformation via Cyber-Resilient Smart Grid https://www.trendmicro.com/en_us/research/23/e/energy-transformation-cyber-resilient-smart-grid.html
As the need for reliable and affordable energy sources grows, countries worldwide are increasingly turning to smart grids. Smart grids revolutionize how society accesses energy, enabling higher efficiency, reliability, and cost-effective management of energy resources. But these advancements come with a risksmart grid infrastructures are highly vulnerable to cyberattacks, leading to costly consequences if left unprotected. Drawing on the Achieving Energy Transformation: Building a Cyber Resilient Smart Grid – Report released on April 2023 from TXOne Networks, a Trend Micro’s affiliated company dedicated to OT security. This blog will discuss key vulnerabilities in smart grids. It also discusses the associated cybersecurity standards and countermeasures that must be taken to protect this vital infrastructure from malicious activities
Tomi Engdahl says:
An Overview Of Supply Chain Attacks And Protection Strategies https://www.forbes.com/sites/davidbalaban/2023/05/13/an-overview-of-supply-chain-attacks-and-protection-strategies/
As corporations have been stepping up their security measures, hacker groups have shifted their focus toward software vendors and various system providers. The frequency of supply chain attacks has multiplied several times compared to what it was in 2020. The concept of a Supply Chain Attack revolves around hijacking an organization’s IT infrastructure via third-party vendors. By securing initial access to, say, a vendor’s code management or version control systems, attackers can disseminate their malicious software while masquerading as a legitimate application. Since the company does not have direct control over all its suppliers, it is virtually impossible to fully safeguard against such threats
Tomi Engdahl says:
Chaining Five Vulnerabilities to Exploit Netgear Nighthawk RAX30 Routers at Pwn2Own Toronto 2022
https://claroty.com/team82/research/chaining-five-vulnerabilities-to-exploit-netgear-nighthawk-rax30-routers-at-pwn2own-toronto-2022
The Internet of Things (IoT) has become an increasingly popular target for cyber attacks in recent years because these devices are often poorly secured and can be easily compromised. To highlight the vulnerabilities of IoT devices and encourage better security practices from manufacturers, the Zero Day Initiative (ZDI) organized a Pwn2Own competition last fall in Toronto that focused on hacking into IoT devices such as printers, network-attached storage (NAS) devices, routers, and smart speakers. This competition brought together experienced hackers to demonstrate their skills in finding and exploiting vulnerabilities in these devices. Here, we will explore the research we conducted on the Netgear RAX30 router, below, for the Pwn2Own competition
Tomi Engdahl says:
https://hackaday.com/2023/05/12/this-week-in-security-tpm-and-bootguard-drones-and-coverups/
And to cap off the week’s news, Home Assistant had a nasty one, where an unauthenticated user can access the Supervisor API. The bug is a sneaky path traversal that bypasses an authentication check regex. Check it yourself, by fetching http://a.b.c.d:8123/api/hassio/app/.%252e/supervisor/info on your Home Assistant install. The fixes have been bypassed a couple of times, and it’s release 2023.03.3 that’s safe to use, for now.
https://www.elttam.com/blog/pwnassistant/
This write-up describes a vulnerability (CVE-2023-27482) found in Home Assistant, a popular open source home automation software. The original vulnerability was found to affect versions before 2023.3.0 where a mitigation is introduced. Bypasses were discovered which meant the vulnerable versions include Home Assistant Core 2023.3.0 and 2023.3.1 and Home Assistant Supervisor 2023.03.2. Home Assistant installations running Home Assistant Core 2023.3.2 or later, and Home Assistant Supervisor 2023.03.3 or later are not affected.
https://github.com/elttam/publications/blob/master/writeups/home-assistant/supervisor-authentication-bypass-advisory.md
Tomi Engdahl says:
PSA: time to recycle your old Wemo smart plugs (if you haven’t already) https://www.theverge.com/2023/5/16/23725290/wemo-smart-plug-v2-smart-home-security-vulnerability
Security researchers at Sternum report they’ve found an exploitable vulnerability in the Wemo Smart Plug Mini V2 (via 9to5Mac). The plug debuted in 2019, offering cross-platform compatibility with Apple HomeKit, Google Assistant, and Alexa.
The bug would let a savvy hacker gain remote command of your Wemo plug by circumventing the Wemo app with a community-made Python app called PyWeMo. Once connected, an attacker can change the device name to something with more than 30 characters, resulting in a buffer overflow that allows the attacker to inject commands remotely.
When Sternum disclosed the vulnerability to Belkin, it was told that since the device was at the end of its life, it would not be receiving a fix. Sternum then reported the issue to not-for-profit cybersecurity org The Mitre Corporation, which then created CVE-2023-27217.
Tomi Engdahl says:
Not An Afterthought: Security By Design
https://www.forbes.com/sites/emilsayegh/2023/05/16/not-an-afterthought-security-by-design/
Recent incidents such as the ChatGPT software leak and the Activision Blizzard data breach highlight the urgent need for enhanced cybersecurity measures to be built in at every level of application and software development. Security must be built into the core of any product or technological advancement during the early stages of design.
Unfortunately, many software companies still treat cybersecurity as an afterthought.
They often focus on developing and releasing products and services quickly with security added along the way, or even worse after everything else has been completed.
This approach can be disastrous, as demonstrated by countless cyberattacks capitalizing on substandard security measures. These attacks serve as a reminder of how crucial it is that security is built-in from the very beginning of the development process.
Tomi Engdahl says:
Teltonika Vulnerabilities Could Expose Thousands of Industrial Organizations to Remote Attacks
https://www.securityweek.com/teltonika-vulnerabilities-could-expose-thousands-of-industrial-orgs-to-remote-attacks/
Critical vulnerabilities found in Teltonika products by industrial cybersecurity firms Otorio and Claroty expose thousands of internet-exposed devices to attacks.
Researchers at industrial cybersecurity companies Otorio and Claroty have teamed up to conduct a detailed analysis of products made by Teltonika and found potentially serious vulnerabilities that can expose many organizations to remote hacker attacks.
Teltonika Networks is a Lithuania-based company that makes LTE routers, gateways, modems and other networking solutions that are used worldwide in the industrial, energy, utilities, smart city, transportation, enterprise, and retail sectors.
Researchers at Otorio and Claroty have analyzed the company’s RUT241 and RUT955 cellular routers, as well as the Teltonika Remote Management System (RMS), a platform that can be deployed on-premises or in the cloud for monitoring and managing connected devices.
The research resulted in the discovery of eight types of security holes, which the US Cybersecurity and Infrastructure Security Agency (CISA) described briefly in an advisory published on May 11.
The vendor has been notified and it has released patches for both the RMS platform and the RUT routers.
https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08
Tomi Engdahl says:
CISA: Several Old Linux Vulnerabilities Exploited in Attacks
https://www.securityweek.com/cisa-several-old-linux-vulnerabilities-exploited-in-attacks/
Several old Linux vulnerabilities for which there are no public reports of malicious exploitation have been added to CISA’s KEV catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) has added several Linux and Linux-related flaws to its known exploited vulnerabilities (KEV) catalog.
The agency added seven new vulnerabilities to its KEV catalog on Friday: Ruckus AP remote code execution (CVE-2023-25717), Red Hat Polkit privilege escalation (CVE-2021-3560), Linux kernel privilege escalations (CVE-2014-0196 and CVE-2010-3904), Jenkins UI information disclosure (CVE-2015-5317), Apache Tomcat remote code execution (CVE-2016-8735), and an Oracle Java SE and JRockit issue (CVE-2016-3427).
The Ruckus product vulnerability has been exploited by a DDoS botnet named AndoryuBot.
Tomi Engdahl says:
Toyota: Data on More Than 2 Million Vehicles in Japan Were at Risk in Decade-Long Breach
https://www.securityweek.com/toyota-data-on-more-than-2-million-vehicles-in-japan-were-at-risk-in-decade-long-breach/
A decade-long data breach in Toyota’s online service put some information on more than 2 million vehicles at risk.
Tomi Engdahl says:
This New Era of Security Requires Secure Networking, Vendor Consolidation, and Focus on OT
https://www.securityweek.com/this-new-era-of-security-requires-secure-networking-vendor-consolidation-and-a-focus-on-ot/
The convergence of networking and security, the consolidation of technology vendors, and a focus on OT security are essential underpinnings of any organization’s success.
Tomi Engdahl says:
https://hackaday.com/2023/05/15/a-free-tv-with-a-catch-new-normal-or-inevitable-hardware-bonanza/
Tomi Engdahl says:
The problem isn’t new, but the product may be too old for the manufacturer to bother fixing—however, there are some other work-arounds that can address this issue.
Wemo won’t fix Smart Plug vulnerability allowing remote operation
https://arstechnica.com/gadgets/2023/05/wemo-wont-fix-smart-plug-vulnerability-allowing-remote-operation/?utm_brand=ars&utm_medium=social&utm_social-type=owned&utm_source=facebook
Tricking a plug with a too-long name could lead to buffer overflows, injections.
IoT security research firm Sternum has discovered (and disclosed) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. The firm’s blog post is full of interesting details about how this device works (and doesn’t), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit—a limit enforced solely by Wemo’s own apps—with third-party tools. Inside that overflow you could inject operable code. If your Wemo is connected to the wider Internet, it could be compromised remotely.
https://sternumiot.com/iot-blog/mini-smart-plug-v2-vulnerability-buffer-overflow/
Tomi Engdahl says:
Energy Transformation via Cyber-Resilient Smart Grid
https://www.trendmicro.com/en_us/research/23/e/energy-transformation-cyber-resilient-smart-grid.html
Learn more about smart grid vulnerabilities and how organizations can future-proof their enterprises
As the need for reliable and affordable energy sources grows, countries worldwide are increasingly turning to smart grids. Smart grids revolutionize how society accesses energy, enabling higher efficiency, reliability, and cost-effective management of energy resources. But these advancements come with a risk—smart grid infrastructures are highly vulnerable to cyberattacks, leading to costly consequences if left unprotected.
Drawing on the Achieving Energy Transformation: Building a Cyber Resilient Smart Grid
Report released on April 2023 from TXOne Networks, a Trend Micro’s affiliated company dedicated to OT security. This blog will discuss key vulnerabilities in smart grids. It also discusses the associated cybersecurity standards and countermeasures that must be taken to protect this vital infrastructure from malicious activities.
Renewable power generation
Renewable power generation, such as wind and solar, plays a critical role in the smart grid, but they also introduce new vulnerabilities that attackers can exploit. The following are some of the vulnerabilities associated with renewable power generation:
Vulnerabilities in Wind Power Control Equipment: Wind turbines are controlled by industrial control systems that may have vulnerabilities that attackers can exploit. For example, attackers could manipulate the control systems to change the output of the wind turbines, causing imbalances in the grid and potentially leading to blackouts.
Vulnerabilities in Solar Power Generation: Solar power generation systems also rely on industrial control systems, which may have vulnerabilities that attackers can exploit. For example, attackers could manipulate the control systems to cause the solar panels to overproduce or underproduce energy, causing imbalances in the grid.
Distribution Automation (DA) and Feeder Automation (FA)
These are critical components of the smart grid that automate power distribution from the substation to customers. However, they are also vulnerable to attacks due to the following reasons:
Insecure Industrial Control Protocols: DA and FA systems use industrial control protocols that may not have security features, making them vulnerable to attacks. For example, attackers could use unauthenticated commands to manipulate the DA and FA systems, causing power outages or other disruptions.
Risk of Remote Service Vulnerabilities: Many DA and FA systems are connected to remote services, such as cloud-based applications, which can be vulnerable to attacks. Attackers could exploit vulnerabilities in these remote services to gain access to the DA and FA systems and cause disruptions.
Energy Storage System Management
It is an essential component of the smart grid that enables the storage of excess energy from renewable sources for later use. However, they are also vulnerable to attacks due to the following reasons:
Insecure Communication Protocols: Energy storage systems use communication protocols to communicate with other smart grid components. These protocols may not have security features, making them vulnerable to attacks. For example, attackers could intercept the communication between the energy storage system and other smart grid components, leading to unauthorized access or control of the system.
Physical Security Risks: Energy storage systems may be located in remote or unsecured locations, making them vulnerable to physical attacks. Attackers could damage or destroy the energy storage systems, leading to power outages or other disruptions.
Advanced Metering Infrastructure (AMI) Management System
This is another critical component of the smart grid that enables collecting and transmitting energy usage data from smart meters to utilities. However, they are also vulnerable to attacks due to the following reasons:
Insecure Communication Protocols: AMI systems use communication protocols to transmit data between smart meters and utilities. These protocols may not have security features, making them vulnerable to attacks. For example, attackers could intercept the communication between the smart meters and utilities, leading to unauthorized access or control of the system.
Unauthorized Access: AMI systems may be accessible to unauthorized personnel, making them vulnerable to attacks. Attackers could gain physical access to the AMI systems and tamper with the smart meters or the data collected by the system.
Addressing these vulnerabilities is crucial for the resilience and security of the smart grid. Implementing robust cybersecurity measures can significantly mitigate these vulnerabilities and safeguard against cyber threats.
Tomi Engdahl says:
Air-Gapped Networks (Part 2): Moving Information
May 11, 2023
The ability to import, export, transport, and share information is extremely important, even for air-gapped networks.
https://www.electronicdesign.com/technologies/industrial/article/21265747/digistor-airgapped-networks-part-2-moving-information?utm_source=EG+ED+Connected+Solutions&utm_medium=email&utm_campaign=CPS230504075&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R
Tomi Engdahl says:
New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
https://www.securityweek.com/new-honeywell-ot-cybersecurity-solution-helps-identify-vulnerabilities-threats/
Honeywell announces the launch of Cyber Insights, a solution designed to help organizations identify vulnerabilities and threats in their OT environments.
Honeywell on Tuesday announced the launch of a new OT cybersecurity solution designed to help organizations identify vulnerabilities and threats in their facilities.
Part of its Forge cybersecurity offering, the new Cyber Insights solution collects data from Honeywell products and various existing third-party security solutions, including data on vulnerabilities, security events, potential threats, and compliance issues.
The generated data can be used for OT-specific threat hunting and for conducting investigations.
The on-premises solution includes subscription software installed in the OT environment, a one-time deployment service, and technical support services.
Cyber Insights provides curated near real-time and historical information that can be leveraged by on-site staff. Alternatively, organizations can forward the log data to an off-site SOC or to a managed security services provider, such as Honeywell.
Honeywell pointed out that since the new solution is specifically designed for OT systems, it checks the system load and the analysis and correlation of the collected data is done on a dedicated server instead of the OT assets themselves in order to avoid causing any disruption.
In terms of compliance, Cyber Insights is designed to monitor assets against user-defined policies, CIS benchmarks, and NIST 800-53 requirements.
https://www.honeywellforge.ai/us/en/solutions/products/ot-cybersecurity/cyber-insights
Tomi Engdahl says:
What Wireless Network Standards Will Rule the Smart Home?
May 18, 2023
Wireless network protocols that are available for smart-home applications today won’t necessarily be the most widely adopted in the future. Here’s a look at Zigbee, Bluetooth, Wi-Fi, Matter, and Thread.
https://www.electronicdesign.com/technologies/communications/article/21266261/insight-sip-what-wireless-network-standards-will-rule-the-smart-home?utm_source=EG+ED+Update:+Power+and+Analog&utm_medium=email&utm_campaign=CPS230519042&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R
Tomi Engdahl says:
USA ja Microsoft varoittavat: Kiinaan liitetty kyberryhmä tunkeutui kriittisiin järjestelmiin https://www.hs.fi/ulkomaat/art-2000009609582.html
Yhdysvallat, useat sen liittolaismaat ja laitevalmistaja Microsoft varoittavat, että Kiinan valtioon liitetty kybertoimija Volt Typhoon on onnistunut tunkeutumaan Yhdysvaltain kriittiseen infrastruktuuriin verkossa, ja että vastaavaa toimintaa voi olla käynnissä muissakin maissa. Yhdysvaltojen, Britannian, Kanadan, Australian ja Uuden-Seelannin viranomaiset kertoivat havainnosta yhteisessä kyberturvallisuuden tiedonannossaan
Tomi Engdahl says:
New Russian-linked CosmicEnergy malware targets industrial systems https://www.bleepingcomputer.com/news/security/new-russian-linked-cosmicenergy-malware-targets-industrial-systems/
Mandiant security researchers have discovered a new malware called CosmicEnergy designed to disrupt industrial systems and linked to Russian cybersecurity outfit Rostelecom-Solar (formerly Solar Security). The malware specifically targets IEC-104-compliant remote terminal units (RTUs) commonly used in electric transmission and distribution operations across Europe, the Middle East, and Asia
Tomi Engdahl says:
Cyberwarfare
Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
https://www.securityweek.com/microsoft-catches-chinese-gov-hackers-in-guam-critical-infrastructure-orgs/
In a campaign called Volt Typhoon, Microsoft says Chinese government hackers were siphoning data from critical infrastructure organizations in Guam, a U.S. territory in the Pacific Ocean.
Rohan Goswami / CNBC:
Microsoft says Chinese state-sponsored hackers compromised “critical infrastructure organizations” across US industries, with a focus on gathering intelligence — – Chinese state-sponsored hackers have compromised “critical” cyber infrastructure in a variety of industries …
Microsoft warns that China hackers attacked U.S. infrastructure
https://www.cnbc.com/2023/05/24/microsoft-warns-that-china-hackers-attacked-us-infrastructure.html
Chinese state-sponsored hackers have compromised “critical” cyber infrastructure in a variety of industries, including government and communications organizations, Microsoft said Wednesday.
The hacking group is codenamed”Volt Typhoon,” and has been in operation since 2021.
Impacted parties have already been notified.
Tomi Engdahl says:
MedTech devices and connectivity – exciting opportunities, tightening regulations
https://www.etteplan.com/stories/medtech-connectivity-exciting-opportunities-tightening-regulations
The requirements placed on MedTech products with connectivity are increasing. This is due to regulations such as the European Union’s Medical Device Regulation (MDR), the new Data Act, and stricter cyber security requirements in health care.
Tomi Engdahl says:
Google Issues Android TV Security Warning https://www.forbes.com/sites/daveywinder/2023/05/30/google-issues-security-warning-for-android-tv-users/
Google has issued a warning to users of Android TV OS devices to be aware that some TV boxes are not what they appear, certainly when it comes to the security implications for their users.
In an official Google Android TV OS support forum posting, a Google employee confirms that the company has “recently received questions regarding TV boxes that are built with Android Open Source Project and are being marketed to appear as Android TV OS devices.”
However, as we all know, appearances can be deceptive. Even though, the warning continues, these may have Google apps and even the Play Store installed, that doesn’t mean these are licensed by Google. Which means, it continues, “these devices are not Play Protect certified.”
Alkup.
https://support.google.com/androidtv/thread/217840369?hl=en&sjid=6644248032415929751-NA
Tomi Engdahl says:
Medical devices with connectivity features improve patient care greatly. However, connectivity also presents a vulnerability to cybersecurity incidents. This article goes into detail about the growing market of connected medical devices and the constraints posed by cybersecurity requirements and regulations.
#IoMT #MedicalDevices #HealthTech #EngineeringWithADifference
https://www.etteplan.com/stories/medtech-connectivity-exciting-opportunities-tightening-regulations?utm_source=facebook&utm_medium=paid&utm_campaign=SES_Medtech_23-05-06_en&utm_content=article_medtech-connectivity-exciting-opportunities-tightening-regulations&fbclid=IwAR2zyK6yF5eeZDwevUuulOc1fsmsVVn4Lwai7EBOwxUiLRUqYRTVHYCLOy4_aem_th_AUwwgfnj5km7c-ABHw_ITErXH5Wrg4EfNdvJMBDxnJIgGxmB2UP_1AWzIw9QhENqSFIBKM0uT_HBl8a_OafVyY1c