IoT Security - Monthly Newsletter - November 2019
At a Glance...
The discovery of another Gafgyt (AKA Bashlight) variant shows the classic threat resulting from ever evolving malware, just like the many variants of the infamous Mirai.
Multiple device vulnerabilities were published this month, ranging from Amazon Echo speakers to FON routers. One of the most interesting vulnerabilities that were discovered is CVE-2019-2215 that allows elevation of privilege from an application to the Linux Kernel, which was used by NSO, the notorious offensive cyber firm.
Gafgyt malware threatens 32,000 SOHO Wi-Fi routers globally
Unit42, Palo Alto Networks’ threat intelligence team, discovered an updated Gafgyt (AKA Bashlight) variant trying to infect thousands of home or small office wireless routers. The Gafgyt botnet was initially uncovered in 2014 and is a popular tool for launching large-scale DDoS attacks. Specifically, three wireless router models are affected: the Zyxel P-660HN-T1A, the Huawei HG532 and the Realtek RTL81XX (CVE-2014-8361). The malware exploits remote code executions found on all these models. Read the full article (https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/)
Dutch police take down hornets' nest of DDoS botnets
Dutch police took down a vast hosting provider that sheltered tens of IoT botnets including Fbot, Gafgyt, Hakai, Handymanny, Moobot, Tsunami, Yowai and Mirai. The botnets operating from KV's infrastructure have been scanning the internet over the past year looking to infect a wide range of devices, including ASUS routers, AVTECH IoT devices, GPON routers, Fritz!Box routers, Huawei routers, JAWS web servers (generic IoT), MikroTik routers, Netgear routers and ZTE cable modems. Read the full article (https://www.zdnet.com/article/dutch-police-take-down-hornets-nest-of-ddos-botnets/)
D-Link Home Routers Open to Remote Takeover Will Remain Unpatched
The vulnerability (CVE-2019-16920, first disclosed in September 2019 by Fortinet's FortiGuard Labs) exists in the latest firmware for the DIR-655, DIR-866L, DIR-652 and DHP-1565 products, which are Wi-Fi routers for the home market. D-Link says that all four models are end-of-life and no longer sold or supported by the vendor (however, the models are still available as new via third-party sellers). Read the full article (https://threatpost.com/d-link-home-routers-unpatched/148941/)
Amazon’s Echo speakers and Kindle e-books are reportedly open to vulnerabilities
The first generation of Amazon Echo speakers and the eighth generation of the Kindle e-reader were found to be vulnerable to Key Reinstallation Attacks (Krack). ESET discovered cyber attackers can exploit Krack to intercept the online signals of these devices and take the first step in using them as surveillance tools. The company said the vulnerabilities are "quite severe" as they could allow attackers to do a range of damage, including a DoS attacks, decrypt data or information transmitted by the victims and intercept sensitive information. Read the full article (https://www.marketing-interactive.com/amazon-tightens-security-on-echo-and-kindle-amidst-cyber-attack-vulnerability/) CVE-2017-8087: Information leakage found in FRITZ!OS The affected firmware versions include FRITZ!OS 6.83 & 6.80 for the AVM DSL router Fritz!Box 7490. The vulnerability was found in the router OS by Christian Kagerhuber from Deutsche Telekom. Read the full article (https://seclists.org/fulldisclosure/2019/Oct/36) CVE-2019-6015: FON routers may behave as open resolvers The affected firmware versions include FON2601E-SE, FON2601E-RE, FON2601E-FSW-S, and FON2601E-FSW-B all with versions 1.1.7 and earlier. CVE-2019-6015 was reported by Hideyoshi Okazaki of ARTERIA Networks Corporation to JPCERT/CC which then coordinated with Fon. Read the full article (https://jvn.jp/en/vu/JVNVU94678942/)
CVE-2019-2215: Android Use-After-Free in Binder driver
The CVE-2019-2215 vulnerability revealed that use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. Although no user interaction is required, exploiting this vulnerability does require the installation of a malicious local application or a separate vulnerability in a network-facing application. Android admitted that the severity level of this vulnerability is High and announced that it “could enable a local malicious application to execute arbitrary code within the context of a privileged process”. Read the full article (https://seclists.org/fulldisclosure/2019/Oct/38)
Calls for cybersecurity certification in Switzerland
A group of 14 cybersecurity experts at the Cybersecurity Commission of ICTswitzerland called on the Swiss government to work to establish a testing and certification authority for the nation. ICTswitzerland is the umbrella organisation for the digital economy in Switzerland and is committed to the identification and prevention of cyber risks. Read the full article (https://www.darkreading.com/iot/cybersecurity-certification-in-the-spotlight-again-/d/d-id/1335940)
Singapore, UK to cooperate on securing consumer IoT
The UK and Singapore governments have agreed to cooperate on the issue of security for consumer IoT devices. They recommend that manufacturers implement industry best practices including: 1. Discontinuing obvious security flaws, e.g. universal default passwords; 2. Normalising vulnerability disclosure processes to set disclosure and response best practices across the IoT industry; 3. Encouraging the development and deployment of software security updates throughout the entire life-time of IoT products, holding manufacturers accountable. In May 2019 the UK Government (DCMS) announced plans for legislation that would require greater security to be built into IoT devices. Read the full article (https://www.iotaustralia.org.au/2019/10/06/iot-news-asia-pacific/uk-and-singapore-co-operate-to-secure-consumer-iot/)
USA: “Cyber Hunt” Legislation Passes U.S. Senate
The DHS Cyber Hunt and Incident Response Act (H.R. 1158) was created in response to the recent spate of ransomware attacks against government agencies and private sector organizations. The bill would require the newly-formed DHS teams to provide assistance, upon request, to public and private entities looking for information regarding how they could best prepare for and respond to cyber-related incidents, including: 1. Restoring services after a cyber incident; 2. Identifying and analyzing cybersecurity risks and unauthorized cyber activity; 3. Creating mitigation strategies against cybersecurity risks; and 4. Providing recommendations to asset owners and operators on how to lower their cybersecurity risks and improve their digital networks and systems. The legislation was passed by unanimous consent in the Senate – a noteworthy fact that highlights the global understanding of the situation’s severity. Next steps include coordinating an incident planning and response plan with the FBI and the U.S. Secret Service. Read the full article (http://www.mondaq.com/unitedstates/x/854946/Security/Cyber+Hunt+Legislation+Passes+US+Senate+Any+Implications+For+Business)
This Is What VDOO...
VDOO responded (https://www.vdoo.com/blog/vdoo-comments-on-nist-report-8267) to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Draft NISTIR 8267 – “Security Review of Consumer Home IoT Products.” We discussed the report’s significant contribution to IoT cyber security, as well as what they could have done differently. This post highlights several key points which should be of great interest to everyone in this ecosystem, and also recommends additional research that builds upon this initial foundation.
Share this post