Device Security Newsletter - August 2020

Monthly Newsletter  August 19, 2020

At a Glance

As always, we hope you are healthy and safe during these troubling times.

July was full of developments related to standards, best practices and government regulation across the globe. 

The ETSI Technical Committee on Cybersecurity (TC CYBER) unveiled ETSI EN 303 645, a standard for cybersecurity in the Internet of Things (IoT). This standard establishes a security baseline for internet-connected consumer products and provides a basis for future IoT certification schemes.

Japan embarked on an ambitious project: scanning its entire 200 million IPv4 address pool for insecure connected devices. Their targets were devices such as routers, web cameras and sensors that use default login credentials as well as devices infected with malware such as Mirai. The plan, called the National Operation Towards IoT Clean Environment, or NOTICE, involves alerting ISPs of problematic IP addresses.

BSA | The Software Alliance has released a new publication: Policy Principles for Building a Secure and Trustworthy Internet of Things. BSA offers twelve responsible, risk-based steps that governments around the world can take to address these challenges and build trust in the IoT.

Meanwhile in Europe, the UK government has published proposals for a new law that will help protect millions of smart device users from cyber criminals. The proposals, drawn up by the Department for Digital, Culture, Media and Sport (DCMS) and supported by the technical expertise of the National Cyber Security Centre (NCSC), detail the government’s plans to raise the security standard for all consumer smart products sold in the UK.

As always, the Vdoo team is here to answer any questions you may have about the impact of new regulations and standards on device security requirements, or about achieving optimal security for your connected products in general. Our thoughts are with our readers so keep well!

 

Attacks on Connected Devices

The new Bigviktor botnet is targeting DrayTek Vigor router

On June 17, 2020, 360Netlab Threat Detecting System flagged an interesting ELF sample (dd7c9d99d8f7b9975c29c803abdf1c33). Further analysis shows that this is a DDos Bot program that propagates through the CVE-2020-8515 vulnerability which targets the DrayTek Vigor router device, and uses DGA (domain generation algorithm) to generate C2 domain names.
Read the full article

New Mirai variant includes exploit for a flaw in Comtrend Routers

Malware researchers have discovered a new version of the Mirai IoT botnet that includes an exploit for the CVE-2020-10173 vulnerability impacting Comtrend routers. The Mirai botnet was first discovered in August 2016 by MalwareMustDie researchers; later its source code was leaked online. Since 2016, security experts have discovered numerous variants of the Mirai botnet such as Masuta, Okiru, Satori, Mukashi, SORA, and Tsunami. The new variant spotted by Trend Micro researchers targets the CVE-2020-10173 authenticated command injection vulnerability in the Comtrend VR-3033 routers. Experts believe that vulnerability impacting Comtrend routers will likely be exploited by other DDoS botnets.
Read the full article

Two more cyber attacks hit Israel’s water facilities in June

In April an attack hit an Israeli water facility attempting to modify water chlorine levels. In July, officials from the Water Authority revealed two more cyber attacks on other facilities in the country. Two cyber-attacks took place in June and according to the officials, they did not cause any damage to the targeted infrastructure. One of the attacks hit agricultural water pumps in upper Galilee, while the other one hit water pumps in the central province of Mateh Yehuda.
[Read the full article]

 

Vulnerabilities in Connected Devices

Over 100 Wi-Fi routers fail major security test

Almost all home Wi-Fi routers tested in a mass study by Germany's renowned Fraunhofer Institute had serious security vulnerabilities that could easily be fixed by router makers, a recently released report states. "Nearly all were found to have security flaws, some of them very severe," the Fraunhofer Institute said in a press release. "The problems range from missing security updates to easily decrypted, hard-coded passwords and known vulnerabilities that should have been patched long ago."
The institute tested the most recently available firmware for 117 home Wi-Fi models currently sold in Europe, including routers from ASUS, D-Link, Linksys, Netgear, TP-Link, Zyxel and the small German brand AVM.
[Read the full article]

 

Regulations for Connected Devices

ETSI Releases World-Leading Consumer Iot Security Standard

The ETSI Technical Committee on Cybersecurity (TC CYBER) unveiled ETSI EN 303 645, a standard for cybersecurity in the Internet of Things that establishes a security baseline for internet-connected consumer products and provides a basis for future IoT certification schemes. Based on the ETSI specification TS 103 645, EN 303 645 went through National Standards Organization comments and voting, engaging even more stakeholders in its development and ultimately strengthening the resulting standard. The EN is a result of collaboration and expertise from industry, academics and government.
[Read the full article]

Japan's IoT Scanning Project: Insecure Devices Found

Japan embarked on an ambitious project: scan its entire 200 million IPv4 address pool for insecure connected devices. Their targets were devices such as routers, web cameras and sensors that use default login credentials as well as devices infected with malware such as Mirai. The plan, called the National Operation Towards IoT Clean Environment, or NOTICE, involves alerting ISPs of problematic IP addresses. Then, those ISPs get in contact with their customers, who, in theory, could take action to secure their device. Japan's National Institute of Information and Communications Technology, or NICT, which ran the program, recently released an overview of the findings for fiscal 2019. The results are encouraging: The problems aren't terrible, but they do highlight how many insecure devices are vulnerable.
Port-scanning surveys are conducted once a month. A recent survey found 100,000 devices open to the internet that would accept authentication credentials. Of those, 2,249 would accept weak access credentials, NICT says. The average number of notifications sent to ISPs for devices that appear to be infected with malware is 162 per day, NICT says. There was a notable spike this year, however.
[Read the full article]

BSA Policy Principles for Building a Secure and Trustworthy Internet of Things

BSA | The Software Alliance’s Policy Principles for Building a Secure and Trustworthy Internet of Things offers twelve responsible, risk-based steps that governments around the world can take to address these challenges and build trust in the IoT.
[Read the full article]

CISA Releases Securing Industrial Control Systems: A Unified Initiative

The Cybersecurity and Infrastructure Security Agency (CISA) has released its five-year industrial control systems (ICS) strategy: Securing Industrial Control Systems: A Unified Initiative. The strategy—developed in collaboration with industry and government partners—lays out CISA's plan to improve, unify, and focus the effort to secure ICS and protect critical infrastructure.
[Read the full article]

UK Government advances plans to boost security of smart products

The government has published proposals for a new law that will help protect millions of smart device users from cyber criminals. The proposals, drawn up by the Department for Digital, Culture, Media and Sport (DCMS) and supported by the technical expertise of the National Cyber Security Centre (NCSC), detail the government’s plans to raise the security standard for all consumer smart products sold in the UK. As a first step, the standard will make sure they adhere to three important requirements, which may be expanded on over time in consultation with stakeholders. The three requirements are: Device passwords must be unique and not resettable to any universal factory setting; Manufacturers must provide a public point of contact so anyone can report a vulnerability; Information stating the minimum length of time for which the device will receive security updates must be provided to customers.
[Read the full article]

 

This is What Vdoo

This month we have two important updates to share, both related to the capabilities of our device security expert team.

First, Vdoo has joined the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA). We can now help security researchers to disclose embedded device vulnerabilities they discover, as well as streamline the disclosure of vulnerabilities discovered by our own team. Read our announcement!

Second, Vdoo's Chief Scientist, Ilya Khivrich, discovered A Hidden Directory Traversal Vulnerability in QNX Slinger. This rare vulnerability has been responsibly disclosed to BlackBerry which dealt with the issue professionally. The vulnerability has been issued CVE-2020-6932 with CVSSv3 10!

Stay safe and healthy, and keep your devices secure!

Share this post
Monthly Newsletter

Monthly Newsletter

Monthly Newsletter

Vdoo’s monthly newsletter covers the latest attacks, vulnerabilities and regulations that would be of interest to anyone involved in product security – practitioners in the field, security executives, device manufacturers, implementation consultants, enterprise end-users, security service providers, and many more.

Our latest updates