At a Glance...
Only one month into 2020 and, just as predicted, things on the device security front are starting to heat up!
From epic cases of personal data leakage and botnets bringing about stronger GDPR enforcement, to numerous severe vulnerabilities being detected and responsibly disclosed to major manufacturers, here are our January highlights:
- A hacker leaked passwords for more than 500,000 servers, routers and connected devices while Wyze servers exposed 2.4 million customers
- A Xiaomi camera linked to a Google account received images from random users (including images of a baby in its crib)
- Multiple serious vulnerabilities were discovered including in the recently UL-certified GE range of medical devices and in TOTOLINK / other Realtek SDK-based routers
- A brand-new vulnerability, dubbed “Cable Haunt”, was found to affect hundreds of millions of cable modems
The new year and its cyber-perils also had a brighter side with some significant steps forward in the regulation arena. The UK Government responded to regulatory proposals for consumer IoT security with robust statements on technical provisions (watch this space next month for a link to our upcoming blog post on UK post-Brexit cyber-regulation trends)! As always, the Vdoo team is here to answer any questions you may have about achieving optimal security for your connected products in general, and about the issues listed below in particular.
Attacks on Connected Devices
A hacker has published a massive list of Telnet credentials for more than 515,000 servers, home routers and IoT devices. The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet. According to experts, as well as a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker then tried using factory-set default usernames and passwords, or custom but easy-to-guess password combinations. Read the full article
Researchers discovered a new variant of the Muhstik botnet that includes a scanner which allows it to attack Tomato routers for the first time using web authentication brute forcing. Tomato is an open source alternative firmware for routers commonly installed by multiple router vendors and also installed manually by end users. An investigation on Shodan showed that there are more than 4,600 Tomato routers exposed on the Internet. The Muhstik botnet has been alive since March 2018, with a worm-like self-propagating capability to infect Linux servers and connected devices as well as IoT routers such as the GPON home router and DD-WRT router. Read the full article
IoT vendor Wyze reported that “Wyze user data was not properly secured and left exposed.” The exposed data includes the usernames and emails of those who purchased cameras and then connected them to their home; the emails of all the users that they ever shared camera access with; the list of all cameras in the home, the nicknames for each camera, the device model and firmware; Alexa Tokens for 24,000 users who connected their Alexa devices to their Wyze camera; WiFi SSID; API Tokens for access to user accounts; and Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users. Read the full article
Xiaomi Mijia camera owner received still images from other random peoples' homes when trying to stream content from his camera to a Google Nest Hub. The images include stills of people sleeping and even an infant in a cradle. This issue affects the Xiaomi Mijia 1080p Smart IP Security Camera which can be linked to a Google account for use with Google/Nest devices through Xiaomi's Mi Home app/service. Read the full article
Vulnerabilities in Connected Devices
A researcher using the pseudonym CesarSilence discovered a RCE vulnerability in Comtech switches, assigned [CVE-2020-7242], described as follows: Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated administrators to achieve RCE by navigating to the Diagnostics Trace Route page and entering shell metacharacters in the Target IP address field (in some cases, authentication can be achieved with the comtech password for the comtech account.) Read the full article
On January 23, The FDA notified health care providers that "cybersecurity vulnerabilities in certain GE Healthcare Clinical Information Central Stations and Telemetry Servers may introduce risks to patients while being monitored”. According to GE and the FDA, six vulnerabilities have been identified which, if exploited, may allow an attacker to interfere with the function of the device and even render the device unusable. Affected devices include: CARESCAPE Telemetry Server, CARESCAPE Central Station (CSCS) version 2; Bx50 v2 (including B850, B650, B450), and Bx50 v1 (including B850, B650). The vulnerabilities were assigned [CVE-2020-6961], [CVE-2020-6962], [CVE-2020-6964] and [CVE-2020-6965]. Read the full article
Researcher Andrew Klaus discovered a vulnerability in Fortinet’s FortiSIEM versions 5.2.5, 5.2.6. As it turns out, FortiSIEM had a hardcoded SSH public key for user "tunneluser". This means that the same key was used across all installs so that an attacker with this key could successfully authenticate as this user to the FortiSIEM Supervisor. The unencrypted key was also stored inside the FortiSIEM image. While the user's shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds. Read the full article
A bug in the package list parse logic of OpenWrt's opkg fork caused the package manager to ignore SHA-256 checksums embedded in the signed repository index, effectively bypassing integrity checking of downloaded .ipk artifacts. Due to the fact that opkg on OpenWrt runs as root and has write access to the entire filesystem, arbitrary code could be injected by means of forged .ipk packages with malicious payload. Read the full article
A team of four Danish security researchers disclosed a security flaw, dubbed Cable Haunt, that impacts cable modems using Broadcom chips. The vulnerability allows an attacker to change default DNS server; conduct remote man-in-the-middle attacks; hot-swap code or even the entire firmware; upload, flash, and upgrade firmware silently; disable ISP firmware upgrade; change every config file and settings; get and Set SNMP OID values; change all associated MAC Addresses; change serial numbers; and exploit in botnet. Read the full article
The vulnerabilities include sensitive data disclosure and incorrect access control in several series of Realtek SDK based routers; passwords stored in plaintext in Realtek SDK based routers; code execution in several TOTOLINK routers; incorrectly implemented captcha protection in TOTOLINK routers; and exploiting all of these together on TOTOLINK routers. Read the full article
Regulations for Connected Devices
The measures follow on the previously suggested voluntary Code of Practice for consumer IoT security and the ETSI Technical Specification (TS) 103 645, but the legislation would require that connected devices sold in the UK must follow three particular rules to be allowed to sell products in the UK: - All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting. - Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner. - Manufacturers of consumer IoT devices must explicitly state the minimum length of time that the device will receive security updates at the point of sale, either in store or online.
This is What Vdoo
We hope you didn't miss any of our weekly blog posts, but here are the ones we posted since our January newsletter just in case you did:
- PAN and XOM: When Security Features Collide
- Our 2020 Prediction: Automotive Cybersecurity Will Finally Be Regulated
- Researchers Announce BLAKE3 Hash Function
- The Keys to Securing Industrial IoT (IIoT) Environments
- The Practical Guide to Product Security: Closing the Password Authentication Gap
We're going to attend several conferences over the next few weeks - the RSA Conference (Feb 24-28, San Francisco), ISC West (March 17-20, Las Vegas) and the IoT Device Security Conference (March 26, Santa Clara). Please let us know if you're going to be at any of them so we can schedule a time to meet!