Device Security - Monthly Newsletter - January 2020

Monthly Newsletter  January 08, 2020

At a Glance...

Happy 2020 - we hope this year will be a safe and secure one for you and for all your connected devices! So how did 2019 end and 2020 start on the device security front? Let's look at some examples so you can draw your own conclusions.

The new Mozi P2P botnet is actively targeting Netgear, D-Link and Huawei routers by probing for weak Telnet passwords that can compromise them. Multiple vulnerabilities were located, including in the popular GoAhead Web Server Linux Kernel, and Amazon-owned Blink XT2 security cameras.

Recent vulnerabilities lead the FBI to take IoT cybersecurity awareness one step further and issues a set of “basic network housekeeping” guidelines for laypeople. Security of Connected Devices bills in California and Oregon came into effect January 1. You can learn more from our blog post on the Key Takeaways from the California Bill.

As always, the Vdoo team is here to to answer any questions you may have about achieving optimal security for your connected products in general, and about the issues listed below in particular.

Attacks on Connected Devices

Security experts from 360 Netlab spotted a new Mozi P2P botnet that is actively targeting Netgear, D-Link, and Huawei routers by probing for weak Telnet passwords that can compromise them (you can find the full list of devices and vulnerabilities in the article). According to the researchers, in the last few months the botnet was mainly involved in DDoS attacks. Experts also noticed that the sample borrows part of the code from the Gafgyt malware. The botnet implements a custom extended Distributed Hash Table (DHT) protocol that provides a lookup service similar to a hash table ([key, value]). Read the full article

Vulnerabilities in Connected Devices

Tenable announced that its research team discovered seven vulnerabilities in Amazon-owned Blink XT2 security cameras. The exploits could give attackers complete control over an affected device, allowing them to remotely view camera footage, listen to audio output, and hijack the device for use in a botnet to perform, for example, distributed denial of service (DDoS) attacks, steal data or send spam. Amazon responded quickly by releasing patches for the vulnerabilities, urging users to update to firmware version 2.13.11 or later.Read Full Article

[CVE-2019-5096] Embedthis GoAhead Web Server RCE Vulnerability

A Cisco Talos researcher discovered that Embedthis GoAhead Web Server versions 5.0.1 and prior are prone to both remote code execution and DoS vulnerabilities. An attacker can exploit the RCE issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely cause a DoS condition. Read the full article

Linux Kernel Multiple Denial of Service Vulnerabilities

1,053 Linux Kernel versions prior to 5.2.9 have been found to be prone to multiple DoS vulnerabilities. The various vulnerabilities were discovered and reported to the vendor by independent researchers and the issues were then reported by the vendor. Read the full article

Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis

More reports about Amazon Doorbells getting hijacked. In Mississippi, for example, hackers hijacked an indoor Amazon Ring camera placed in a bedroom and used it to talk to three young girls. And, as Motherboard first showed, there are tools available online for breaking into Ring accounts by strategically guessing their login credentials. Read the full article

FBI Issues ‘Drive-By’ Hacking Warning

The FBI takes IoT cybersecurity awareness one step further by issuing a set of “basic network housekeeping” guidelines for laypeople. The advice includes changing default passwords; checking permissions granted to mobile apps; frequently using OTA and auto-updates; and general awareness in terms of keeping a list of the devices you allow to access your WiFi. Read the full article

Regulations for Connected Devices

Security of Connected Devices bills come into effect January 1 The two device-specific cybersecurity laws (California Senate Bill 327 and Oregon House Bill 2395 ) aim to improve and measure the security of connected devices. An op-ed by acclaimed law journal Lexology calls on insurance companies to stay tuned as these regulations will define the future device manufacturing landscape. Read the full article

Also see our blog post on Key Takeaways from the California "Security of Connected Devices" Senate Bill (SB-327).

This Is What Vdoo...

Don't miss any of our weekly blog posts - our first post of 2020 is on Setting Up U-Boot to Harden the Boot Process. Since having a secure boot-up process is a critical factor in ensuring device security and trustworthy software execution, we show you how to set up the popular U-Boot bootloader to achieve a secure configuration, hardening the boot process by removing unnecessary and insecure functionality such as shell and network access.

Share this post
Monthly Newsletter

Monthly Newsletter

Monthly Newsletter

Vdoo’s monthly newsletter covers the latest attacks, vulnerabilities and regulations that would be of interest to anyone involved in product security – practitioners in the field, security executives, device manufacturers, implementation consultants, enterprise end-users, security service providers, and many more.

Our latest updates