Device Security - Monthly Newsletter - December 2019

Monthly Newsletter  December 12, 2019

At a Glance...

Amazon has to fix its devices again, while D-Link simply adds them to the "no fix" list. Palo Alto Networks found a severe Docker vulnerability, and in Israeli researcher found control panels for aircraft warning lights that were open on the internet (scary!)

As expected, more regulations, standards and best practices are headed our way. Leading the pack is Finnish Transport and Communications Agency Traficom with its Security Mark. Other worthy mentions include the IoTSF and IAMSE Consortium partnership, as well as the ENISA guide on good practices for security of Smart Cars.

As always, the Vdoo team is here to to answer any questions you may have about achieving optimal security for your connected products in general, and about the issues listed below in particular.

Since this is a monthly newsletter, we'd like to take this opportunity to wish you happy holidays and a wonderful new year. We'll see you again in 2020!

IoT Attacks

Thousands of QNAP NAS devices have been infected with the QSnatch malware

On Oct. 31, the German Computer Emergency Response Team (CERT-Bund) reported that over 7,000 network-attached storage (NAS) devices from Taiwanese vendor QNAP had been infected with a new strain of malware named QSnatch. According to the Qnap advisory, the affected NAS devices include QNAP NAS devices with QTS 4.2.6 build 20181227, QTS 4.3.3 build 20190102, QTS 4.3.4 build 20190102, QTS 4.3.6 build 20181228 and earlier versions. Read the full article

Iranian hacker group homing in on industrial systems

Microsoft researchers reported at CyberwarCon that the Iranian hacker group, nicknamed APT 33, has shifted from attacking IT networks to focusing on disrupting critical infrastructure by targeting physical control systems used in electric utilities, manufacturing and oil refineries. APT 33 has a history of attacking aerospace and oil operations, as well as politicians, academics and the water source for a U.S. military facility. It has been connected to two strains of hard drive erasing "wiper" malware known as ShapeShift and Shamoon, which has been used in some of the most destructive cyberattacks in history, including an attack on Saudi Aramco. Read the full article

IoT Vulnerabilities

Amazon fixes Ring Video Doorbell wi-fi security vulnerability

Cybersecurity company Bitdefender disclosed a security vulnerability in Amazon's Ring Video Doorbell Pro devices which allows attackers to exploit the internet-connected doorbell in order to intercept the owner's wi-fi credentials, giving them unauthorized access to the network and to other devices on it. Read the full article

Improper input validation on Dbell Smart Doorbell can lead to attackers remotely unlocking door

Noah Clements, who works for the Bulletproof IT firm, discovered a vulnerability in Dbell smart doorbells purchased four years ago. This vulnerability allows any user to launch commands without authentication verification through the doorbell’s web server. More specifically, if there is a lock connected to the relay switch on the doorbell, you can unlock the door locally on the network or remotely if it is exposed to the internet. This vulnerability remains unpatched. Read the full article -

CVE-2019-14271: most severe docker vulnerability to date

This new vulnerability, discovered by Unit 42 of Palo Alto Networks, marks a security issue in the implementation of the Docker cp command that can lead to full container escape when exploited by an attacker. This is the first complete container breakout since the severe runC vulnerability discovered back in February. The docker cp command uses chroot to run a helper binary inside a given docker container. The problem occurs when that binary loads the shared libnss library. It’s already running inside a chroot so it loads the library from the docker container, allowing an attacker to simply replace a container’s libnss library with a malicious version. This way, the next time docker cp is used to copy a file out of that container, the attacker’s code runs as root outside the container. Read the full article

D-Link has warned that more of its routers are vulnerable to critical flaws that allow remote hackers to take control of the hardware, but the company is not planning to fix them because they say that the hardware has reached its end-of-life and will no longer receive security updates. D-Link identified the affected models as: DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L and DIR-862. What isn’t clear from the announcement is if the bug is similar to the CVE-2019-16920 discovered in October by FortiGuard Labs. The new list of D-Link hardware includes four never-before identified routers with an unauthorized RCE flaw – DIR-862, DIR-330, DGL-5500 and DIR-866. Read the full article

Experts discovered control systems for aircraft warning lights open online

The independent researcher Amitay Dan discovered that control panels for aircraft warning lights were exposed to the Internet, potentially allowing attackers to control them. The vulnerabilities affected the “obstruction lighting” that alerts aircraft to the presence of obstacles. At least 46 control panels were discovered to be exposed online. Urged by the FAA, Dialight identified the impacted customers and helped them in fixing this issue. Read the full article

IoT Regulation

New publication from ENISA: "Good Practices for the Security of IoT - Secure Software Development Lifecycle"

This ENISA study introduces good practices for IoT security, with a particular focus on software development guidelines for secure IoT products and services throughout their lifetime. The report provides security considerations and guidelines for all phases of software development, beginning with requirements, software design and development/implementation, all the way to testing and acceptance, integration and deployment, as well as maintenance and disposal. Read the full article

Australia releases draft IoT cybersecurity code of practice

The draft, which applies to all IoT devices available in Australia including "everyday smart devices that connect to the internet, such as smart TVs, watches, and home speakers", will be available for public review and consultation until March 1st, 2020. This voluntary Code of Practice is intended for an industry audience, but the Australian government encourages anyone who would like to make a contribution to do so. According to Vdoo security architect, Leo Dorrendorf, the draft is very similar to the DCMS UK Code of Practice document, containing 13 similar requirements with slight permutations. Read the full article

China publishes first law on encryption

China published its first national law on encryption which will come into effect starting 1 January 2020. The law broadens the current regulatory scope of encryption, liberalizes commercial encryption at the national law level, and proposes a market-oriented regulatory regime for the commercial encryption industry. Foreign and foreign-invested entities are given equal treatment and rights in accessing the commercial encryption market and using commercial encryption in China. Read the full article

Finland launches cybersecurity label for IoT devices

The Security Mark issued by the Finnish Transport and Communications Agency Traficom indicates that the product or service bearing the mark was designed to be secure. When applying for a Security Mark for a product or service, a company must provide information about the product or service features using the compliance form. The Cyber Security Center then evaluates that information and runs interface tests and audits on the security features of the product or service. This certification (ETSI EN 303 645) is a draft European Standard. It is a more detailed but still very close derivative of ETSI EN 103 645 which has the same title (Cyber Security for Consumer Internet of Things) but is a Technical Specification that Vdoo has already mapped in our platform. Read the full article

ENISA report on good practices for security of Smart Cars

The European Union Agency for Cybersecurity (ENISA) issued a new report defining good practices for security of smart cars, namely connected and (semi-) autonomous vehicles. The new report presents a more in-depth analysis of the conclusions reached in ENISA’s 2017 study, "The ENISA Cybersecurity and Resilience of Smart Cars—Good Practices and Recommendations", which focused on V2V, V2X, AI and machine learning as the main trends that are predicted to cause an increase in the number of cyber threats, and the related risk and damage potential. Taking stock of all existing standardization, legislative and policy initiatives, this report aims to serve as a reference point to promote cybersecurity for smart cars across Europe and raise awareness regarding the relevant threats and risks with a focus on “cybersecurity for safety”. ENISA’s study brings together players across the entire spectrum of the automotive sphere and reflects ongoing policy developments in the EU. The document is expected to serve as the reference for automotive cybersecurity, even outside the EU. Read the full article

The IoT Security Foundation and the IASME Consortium announce partnership to offer consumer IoT conformance scheme

The IoT Security Foundation and the IAMSE Consortium announced a partnership that aims to address entry-level cybersecurity requirements for consumer IoT products in the UK market. The scheme provides a baseline that is both low cost and simple to implement for manufacturers, based on a set of 30 checks which can be verified by a national network of certifying bodies. Once the applicant satisfies those checks, a certificate is issued and the company is able to add the Basic tick mark to their marketing materials. Both organizations are now encouraging manufacturers and retailers to take a look at the scheme which can be found on the IAMSE site Read the full article

This Is What Vdoo...

Vdoo was listed by CRN as one of The 10 Hottest IoT Startups Of 2019!.

We also published our first open source project on GitHub - a Ghidra .pyi Generator that generates .pyi type stubs for the entire Ghidra API. Those stub files can later be used in PyCharm to enhance the development experience.

Share this post
Monthly Newsletter

Monthly Newsletter

Monthly Newsletter

Vdoo’s monthly newsletter covers the latest attacks, vulnerabilities and regulations that would be of interest to anyone involved in product security – practitioners in the field, security executives, device manufacturers, implementation consultants, enterprise end-users, security service providers, and many more.

Our latest updates