At a Glance...
Amazon has to fix its devices again, while D-Link simply adds them to the "no fix" list. Palo Alto Networks found a severe Docker vulnerability, and in Israeli researcher found control panels for aircraft warning lights that were open on the internet (scary!)
As expected, more regulations, standards and best practices are headed our way. Leading the pack is Finnish Transport and Communications Agency Traficom with its Security Mark. Other worthy mentions include the IoTSF and IAMSE Consortium partnership, as well as the ENISA guide on good practices for security of Smart Cars.
As always, the Vdoo team is here to to answer any questions you may have about achieving optimal security for your connected products in general, and about the issues listed below in particular.
Since this is a monthly newsletter, we'd like to take this opportunity to wish you happy holidays and a wonderful new year. We'll see you again in 2020!
Thousands of QNAP NAS devices have been infected with the QSnatch malware
On Oct. 31, the German Computer Emergency Response Team (CERT-Bund) reported that over 7,000 network-attached storage (NAS) devices from Taiwanese vendor QNAP had been infected with a new strain of malware named QSnatch. According to the Qnap advisory, the affected NAS devices include QNAP NAS devices with QTS 4.2.6 build 20181227, QTS 4.3.3 build 20190102, QTS 4.3.4 build 20190102, QTS 4.3.6 build 20181228 and earlier versions. Read the full article
Iranian hacker group homing in on industrial systems
Microsoft researchers reported at CyberwarCon that the Iranian hacker group, nicknamed APT 33, has shifted from attacking IT networks to focusing on disrupting critical infrastructure by targeting physical control systems used in electric utilities, manufacturing and oil refineries. APT 33 has a history of attacking aerospace and oil operations, as well as politicians, academics and the water source for a U.S. military facility. It has been connected to two strains of hard drive erasing "wiper" malware known as ShapeShift and Shamoon, which has been used in some of the most destructive cyberattacks in history, including an attack on Saudi Aramco. Read the full article
Amazon fixes Ring Video Doorbell wi-fi security vulnerability
Cybersecurity company Bitdefender disclosed a security vulnerability in Amazon's Ring Video Doorbell Pro devices which allows attackers to exploit the internet-connected doorbell in order to intercept the owner's wi-fi credentials, giving them unauthorized access to the network and to other devices on it. Read the full article
Improper input validation on Dbell Smart Doorbell can lead to attackers remotely unlocking door
Noah Clements, who works for the Bulletproof IT firm, discovered a vulnerability in Dbell smart doorbells purchased four years ago. This vulnerability allows any user to launch commands without authentication verification through the doorbell’s web server. More specifically, if there is a lock connected to the relay switch on the doorbell, you can unlock the door locally on the network or remotely if it is exposed to the internet. This vulnerability remains unpatched. Read the full article - http://noahclements.com/Improper-Input-Validation-on-dbell-Smart-Doorbell-Can-Lead-To-Attackers-Remotely-Unlocking-Door
CVE-2019-14271: most severe docker vulnerability to date
This new vulnerability, discovered by Unit 42 of Palo Alto Networks, marks a security issue in the implementation of the Docker cp command that can lead to full container escape when exploited by an attacker. This is the first complete container breakout since the severe runC vulnerability discovered back in February. The docker cp command uses chroot to run a helper binary inside a given docker container. The problem occurs when that binary loads the shared libnss library. It’s already running inside a chroot so it loads the library from the docker container, allowing an attacker to simply replace a container’s libnss library with a malicious version. This way, the next time docker cp is used to copy a file out of that container, the attacker’s code runs as root outside the container. Read the full article
D-Link adds more buggy router models to ‘won’t fix’ list
D-Link has warned that more of its routers are vulnerable to critical flaws that allow remote hackers to take control of the hardware, but the company is not planning to fix them because they say that the hardware has reached its end-of-life and will no longer receive security updates. D-Link identified the affected models as: DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L and DIR-862. What isn’t clear from the announcement is if the bug is similar to the CVE-2019-16920 discovered in October by FortiGuard Labs. The new list of D-Link hardware includes four never-before identified routers with an unauthorized RCE flaw – DIR-862, DIR-330, DGL-5500 and DIR-866. Read the full article
Experts discovered control systems for aircraft warning lights open online
The independent researcher Amitay Dan discovered that control panels for aircraft warning lights were exposed to the Internet, potentially allowing attackers to control them. The vulnerabilities affected the “obstruction lighting” that alerts aircraft to the presence of obstacles. At least 46 control panels were discovered to be exposed online. Urged by the FAA, Dialight identified the impacted customers and helped them in fixing this issue. Read the full article
New publication from ENISA: "Good Practices for the Security of IoT - Secure Software Development Lifecycle"
This ENISA study introduces good practices for IoT security, with a particular focus on software development guidelines for secure IoT products and services throughout their lifetime. The report provides security considerations and guidelines for all phases of software development, beginning with requirements, software design and development/implementation, all the way to testing and acceptance, integration and deployment, as well as maintenance and disposal. Read the full article
Australia releases draft IoT cybersecurity code of practice
The draft, which applies to all IoT devices available in Australia including "everyday smart devices that connect to the internet, such as smart TVs, watches, and home speakers", will be available for public review and consultation until March 1st, 2020. This voluntary Code of Practice is intended for an industry audience, but the Australian government encourages anyone who would like to make a contribution to do so. According to Vdoo security architect, Leo Dorrendorf, the draft is very similar to the DCMS UK Code of Practice document, containing 13 similar requirements with slight permutations. Read the full article
China publishes first law on encryption
China published its first national law on encryption which will come into effect starting 1 January 2020. The law broadens the current regulatory scope of encryption, liberalizes commercial encryption at the national law level, and proposes a market-oriented regulatory regime for the commercial encryption industry. Foreign and foreign-invested entities are given equal treatment and rights in accessing the commercial encryption market and using commercial encryption in China. Read the full article
Finland launches cybersecurity label for IoT devices
The Security Mark issued by the Finnish Transport and Communications Agency Traficom indicates that the product or service bearing the mark was designed to be secure. When applying for a Security Mark for a product or service, a company must provide information about the product or service features using the compliance form. The Cyber Security Center then evaluates that information and runs interface tests and audits on the security features of the product or service. This certification (ETSI EN 303 645) is a draft European Standard. It is a more detailed but still very close derivative of ETSI EN 103 645 which has the same title (Cyber Security for Consumer Internet of Things) but is a Technical Specification that Vdoo has already mapped in our platform. Read the full article
ENISA report on good practices for security of Smart Cars
The European Union Agency for Cybersecurity (ENISA) issued a new report defining good practices for security of smart cars, namely connected and (semi-) autonomous vehicles. The new report presents a more in-depth analysis of the conclusions reached in ENISA’s 2017 study, "The ENISA Cybersecurity and Resilience of Smart Cars—Good Practices and Recommendations", which focused on V2V, V2X, AI and machine learning as the main trends that are predicted to cause an increase in the number of cyber threats, and the related risk and damage potential. Taking stock of all existing standardization, legislative and policy initiatives, this report aims to serve as a reference point to promote cybersecurity for smart cars across Europe and raise awareness regarding the relevant threats and risks with a focus on “cybersecurity for safety”. ENISA’s study brings together players across the entire spectrum of the automotive sphere and reflects ongoing policy developments in the EU. The document is expected to serve as the reference for automotive cybersecurity, even outside the EU. Read the full article
The IoT Security Foundation and the IASME Consortium announce partnership to offer consumer IoT conformance scheme
The IoT Security Foundation and the IAMSE Consortium announced a partnership that aims to address entry-level cybersecurity requirements for consumer IoT products in the UK market. The scheme provides a baseline that is both low cost and simple to implement for manufacturers, based on a set of 30 checks which can be verified by a national network of certifying bodies. Once the applicant satisfies those checks, a certificate is issued and the company is able to add the Basic tick mark to their marketing materials. Both organizations are now encouraging manufacturers and retailers to take a look at the scheme which can be found on the IAMSE site Read the full article
This Is What Vdoo...
Vdoo was listed by CRN as one of The 10 Hottest IoT Startups Of 2019!.
We also published our first open source project on GitHub - a Ghidra .pyi Generator that generates .pyi type stubs for the entire Ghidra API. Those stub files can later be used in PyCharm to enhance the development experience.