Device Security Newsletter - April 2020
At a Glance
We hope our newsletter finds you and your loved ones safe and healthy in these crazy times. Despite how much the world has changed around us, March was still business as usual when it came to device vulnerabilities and attacks in multiple sectors.
Case in point is the exposure of "Fronton", an IoT botnet that a contractor was allegedly building for the FSB, Russia's intelligence agency. Fronton specs say the botnet would specifically target internet security cameras and digital recorders (NVRs), which they deemed ideal for carrying out DDoS attacks.
On the positive side, Singapore was active the past month, launching an IoT Cyber Security Guide for enterprise users and their vendors, as well as proposing a Cybersecurity Labelling Scheme (CLS) for home routers and smart home hubs.
As always, the VDOO team is here to answer any questions you may have about achieving optimal security for your connected products in general, or about any of the issues listed below in particular. Our thoughts are with our readers so keep well!
Attacks on Connected Devices
A hacker group broke into the systems of a contractor for the FSB (Russia's national intelligence service) and uncovered a project called Fronton which focused on hacking Linux-based IoT devices (mostly security cameras and digital recorders) which would be then used to build an IoT botnet for the FSB.
Based on file timestamps, the project appears to have been put together in 2017 and 2018, and was clearly inspired by the infamous Mirai malware strain that was used to build a massive IoT botnet in late 2016 which was then used to launch devastating DDoS attacks against a wide range of targets, from ISPs to core internet service providers.
The Fronton IoT botnet was supposed to "carry out password dictionary attacks against IoT devices that are still using factory default logins and common username-password combinations. Once a password attack was successful, the device would be enslaved in the botnet."
Vulnerabilities in Connected Devices
A new collection of vulnerabilities named SweynTooth impacts the SDKs responsible for supporting BLE communications provided by vendors of system-on-a-chip (SoC) chipsets. Connected devices are built around these SoCs with the BLE SDKs helping to minimize energy output. The vulnerabilities require the attacker to be in physical proximity to the device.
The vulnerable BLE SDKs have been used in hundreds of products, including a variety of medical devices such as those that are implanted in or worn by a patient (pacemakers, stimulators, blood glucose monitors and insulin pumps), or larger devices that are in health care facilities (electrocardiograms, monitors and diagnostic devices like ultrasound devices).
The FDA is recommending that medical device manufacturers proactively address tech issues with coordinated disclosures of vulnerabilities and provide customers with mitigation strategies. All the relevant vendors have been notified of these vulnerabilities and those that have already patched their SDKs were identified in the announcement.
The driving interface of Tesla Model 3 vehicles in any release before 2020.4.10 allows Denial of Service to occur due to improper process separation. This vulnerability could allow attackers to disable the speedometer, web browser, climate controls, turn signal visual and sounds, navigation, autopilot notifications, as well as other functions from the main screen.
Over the past few months two different attack groups have been observed using zero-day vulnerabilities on several models of DrayTek's Vigor enterprise routers and switch devices to conduct a series of attacks. These have included eavesdropping on the device’s network traffic, running SSH services on high ports, creating system backdoor accounts, and even creating a specific malicious web session backdoor.
Regulations for Connected DevicesIoT Regulation
Singapore's proposed Cybersecurity Labelling Scheme (CLS) for home routers and smart home hubs are part of their efforts to increase consumer awareness around secured products and to push manufacturers to deploy additional cybersecurity measures.
In addition, the Infocomm Media Development Authority (IMDA) would mandate a set of minimum security requirements for home routers, which would improve baseline standards for such devices. These would also be the prerequisite required for manufacturers to secure CLS labels for their products.
Singapore's IMDA (Infocomm Media Development Authority) in consultation with the local Cyber Security Agency launched a new IoT Cyber Security Guide which provides practical tips to help companies address the security aspects of IoT systems in the acquisition, development, operation and maintenance of these systems.
The guide covers a wide range of practical issues including IoT security design principles, security impact categories, cyber and physical threat categories, attack surface categories, assessment of threats, and more. It also provides a set of baseline recommendations and a checklist for users and vendors.
This is What VDOO
In case you missed our latest blog post, you can read it on our website - Best Practices for Developing Secure IoT Devices. Stay safe and healthy in these turbulent times. Happy Spring Holidays!
Share this post