Device Security Newsletter - June 2020
At a Glance
We hope you are staying strong in these crazy times. May has brought with it some very interesting attacks and vulnerabilities so let's get to it!
A new piece of malware dubbed Kaiji is targeting Linux-based servers and connected (IoT) devices via SSH brute-force attacks in order to use them as a DDoS botnet. While the malware is quite simple, it's different from other IoT ELF malware in that it was written from scratch in the Go programming language, and its detection rate when discovered was only 1.
On a more lighthearted note, it was discovered that a hacker which silently hijacked D-Link NVRs and NAS devices into a botnet did so in order to download anime videos.The botnet named “Cereals” was first spotted in 2012 (!) and reached its peak in 2015.
And finally, an important lesson from last month's happenings - a key part of security is keeping your source code safe and secure as Mercedes-Benz learned when their onboard logic unit (OLU) source code leaked online.
As always, the VDOO team is here to answer any questions you may have about achieving optimal security for your connected products in general, or about any of the issues listed below in particular. Our thoughts are with our readers so keep well!
Attacks on Connected Devices
Kaiji is new malware that targets Linux-based servers and connected (IoT) devices in order to use them as a DDoS botnet. The researchers who found it claim it has definitive Chinese origins and is still a work-in-progress. While the malware is quite simple, it's different from other IoT ELF malware in that it was written from scratch in the Go programming language, and its detection rate when discovered was only 1.
Instead of leveraging exploits to spread, it carries out brute-force attacks against the root of devices that left their SSH port exposed online. Once it gains access, a bash script is executed to sets up the environment for the malicious code.
Researchers recently discovered that a hacker silently hijacked D-Link NVRs and NAS devices and used them as a botnet in order to download anime (Japanese animation) videos.The botnet nicknamed “Cereals” reached its peak a few years ago when it collected more than 10,000 bots connected to online websites. The botnet exploited a flaw in the SMS notification feature of the target devices which allowed the operator to send HTTP requests to the device’s built-in server and execute commands with root privileges.
The researchers described the attacker as “a highly motivated individual with good understanding of embedded devices, Linux systems and script programming” who exhibited “how simple it is to exploit a well-documented vulnerability while cleverly picking a target which is ideal for the purpose and where malicious code can reside undetected for a long period of time.”
Vulnerabilities in Connected Devices
Issue 2015: Linux: futex+VFS: improper inode reference in get_futex_key() causes UAF if superblock goes away
The futex mechanism allows calling from unprivileged user mode code, has a use-after-free and accepts an arbitrary int argument so it might lend itself to heap spraying as well. Fixed versions:
- v5.4.28 - March 25
- v4.19.113 - March 25
- v4.14.175 - April 2
- v4.9.218 - April 2
- v4.4.218 - April 2
- v3.16.83 - April 28
A new vulnerability in Bluetooth, dubbed BIAS (Bluetooth Impersonation AttackS), could potentially impact over a billion devices by allowing attackers to spoof a remotely paired device. “It is possible for an unauthenticated, adjacent attacker to impersonate a previously paired/bonded device and successfully authenticate without knowing the link key. This could allow an attacker to gain full access to the paired device by performing a Bluetooth Impersonation Attack (BIAS).”
For this type of attack to be successful, the attacker needs a device that is within wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR bonding with a remote device with a Bluetooth address known to the attacker. By combining this attack with other attacks the encryption key can be brute-forced and used to decrypt communications. The Bluetooth SIG has addressed the vulnerability announcing the introduction of changes into a future specification revision, and recommends that Bluetooth users to install the latest updates from the device and operating system manufacturers.
The source code for smart car components installed in Mercedez-Benz vans has been leaked which occurred after an engineer discovered a Git web portal belonging to Daimler AG, the German automotive company behind the Mercedes-Benz car brand.
The engineern was able to register an account on Daimler's code-hosting portal, and then proceeded to download more than 580 Git repositories containing the source code of onboard logic units (OLUs) installed in Mercedez vans.
Regulations for Connected Devices
In a new study published in the proceedings of the IEEE Symposium on Security & Privacy, a team of researchers at Carnegie Mellon University's CyLab demonstrated a prototype security and privacy "nutrition label" that performed well in user tests. The team also developed an IoT label generator that manufacturers could use to easily create labels for their devices.
This is What VDOO
Sign up for the webinar we're sponsoring on June 17th where we'll be talking about the challenges, successes and deployment of product security and privacy programs. Contact the Archimedes Center for Medical Device Security for registration details.
In case you missed our latest blog posts, you can read them on our website - What Can Be Learned from the Recent HKSP Vulnerability and NERC CIP Industrial Cybersecurity Standards: What You Need to Know Before the Deadline.
Stay safe and healthy, and enjoy the summer!
Share this post