At a Glance...
Happy 2020 - we hope this year will be a safe and secure one for you and for all your connected devices! So how did 2019 end and 2020 start on the device security front? Let's look at some examples so you can draw your own conclusions.
The new Mozi P2P botnet is actively targeting Netgear, D-Link and Huawei routers by probing for weak Telnet passwords that can compromise them. Multiple vulnerabilities were located, including in the popular GoAhead Web Server Linux Kernel, and Amazon-owned Blink XT2 security cameras.
Recent vulnerabilities lead the FBI to take IoT cybersecurity awareness one step further and issues a set of “basic network housekeeping” guidelines for laypeople. Security of Connected Devices bills in California and Oregon came into effect January 1. You can learn more from our blog post on the Key Takeaways from the California Bill.
As always, the Vdoo team is here to to answer any questions you may have about achieving optimal security for your connected products in general, and about the issues listed below in particular.
Attacks on Connected Devices
Security experts from 360 Netlab spotted a new Mozi P2P botnet that is actively targeting Netgear, D-Link, and Huawei routers by probing for weak Telnet passwords that can compromise them (you can find the full list of devices and vulnerabilities in the article). According to the researchers, in the last few months the botnet was mainly involved in DDoS attacks. Experts also noticed that the sample borrows part of the code from the Gafgyt malware. The botnet implements a custom extended Distributed Hash Table (DHT) protocol that provides a lookup service similar to a hash table ([key, value]). Read the full article
Vulnerabilities in Connected Devices
Tenable announced that its research team discovered seven vulnerabilities in Amazon-owned Blink XT2 security cameras. The exploits could give attackers complete control over an affected device, allowing them to remotely view camera footage, listen to audio output, and hijack the device for use in a botnet to perform, for example, distributed denial of service (DDoS) attacks, steal data or send spam. Amazon responded quickly by releasing patches for the vulnerabilities, urging users to update to firmware version 2.13.11 or later.Read Full Article
A Cisco Talos researcher discovered that Embedthis GoAhead Web Server versions 5.0.1 and prior are prone to both remote code execution and DoS vulnerabilities. An attacker can exploit the RCE issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely cause a DoS condition. Read the full article
1,053 Linux Kernel versions prior to 5.2.9 have been found to be prone to multiple DoS vulnerabilities. The various vulnerabilities were discovered and reported to the vendor by independent researchers and the issues were then reported by the vendor. Read the full article
More reports about Amazon Doorbells getting hijacked. In Mississippi, for example, hackers hijacked an indoor Amazon Ring camera placed in a bedroom and used it to talk to three young girls. And, as Motherboard first showed, there are tools available online for breaking into Ring accounts by strategically guessing their login credentials. Read the full article
The FBI takes IoT cybersecurity awareness one step further by issuing a set of “basic network housekeeping” guidelines for laypeople. The advice includes changing default passwords; checking permissions granted to mobile apps; frequently using OTA and auto-updates; and general awareness in terms of keeping a list of the devices you allow to access your WiFi. Read the full article
Regulations for Connected Devices
Security of Connected Devices bills come into effect January 1 The two device-specific cybersecurity laws (California Senate Bill 327 and Oregon House Bill 2395 ) aim to improve and measure the security of connected devices. An op-ed by acclaimed law journal Lexology calls on insurance companies to stay tuned as these regulations will define the future device manufacturing landscape. Read the full article
Also see our blog post on Key Takeaways from the California "Security of Connected Devices" Senate Bill (SB-327).
This Is What Vdoo...
Don't miss any of our weekly blog posts - our first post of 2020 is on Setting Up U-Boot to Harden the Boot Process. Since having a secure boot-up process is a critical factor in ensuring device security and trustworthy software execution, we show you how to set up the popular U-Boot bootloader to achieve a secure configuration, hardening the boot process by removing unnecessary and insecure functionality such as shell and network access.