Device Security - Monthly Newsletter - March 2020
At a Glance
February 2020 kept the pace up in terms of device vulnerabilities and attacks. We are also continuing to see governments finally realizing the importance of embedded security and acting to improve it, as well as the great work that NIST is doing.
A good example of the problems involved in device security is a report showing that 45% of all connected medical devices running on Windows in a typical hospital are still exposed to the BlueKeep vulnerability because they haven't received the relevant patches since it was discovered nearly a year ago.
As always, the VDOO team is here to answer any questions you may have about achieving optimal security for your connected products in general, or about any of the issues listed below in particular.
Attacks on Connected Devices
Connected devices running Windows 7 at some of the world’s largest manufacturers were found to have been infected with a cryptocurrency miner. The infected devices, including automatic guided vehicles, TVs and printers, were observed a few months ago in over 50 manufacturer sites across the world. The malware rapidly spread and is considered “extremely disruptive.” It first scans the network for potential targets, including those with open SMB or MSSQL services. Once the malware finds a potential target, it runs multiple threads with multiple functionalities. Experts speculate that the cases were the result of a supply chain attack which means that the malware was installed on the devices before they were deployed in the manufacturers’ sites. This incident is worrisome because there are hundreds of millions of systems worldwide that run on top of the Windows 7 operating system. Read the full article
Vulnerabilities in Connected Devices
Check Point researched Philips Hue smart bulbs and bridge and found vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of connected devices. Read the full article
Google addressed a critical vulnerability in its Android OS that affects the Bluetooth subsystem and could be exploited without user interaction (CVE-2020-0022). The most severe vulnerability could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process, which could lead to theft of personal data and potentially also to spreading malware. The flaw would have allowed "a remote attacker within proximity (to) silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address." Read the full article
A new collection of vulnerabilities named SweynTooth impact devices running the Bluetooth Low Energy (BLE) protocol or, more precisely, the software development kits (SDKs) responsible for supporting BLE communications which are provided by vendors of system-on-a-chip (SoC) chipsets. Companies build their connected devices around these SoCs with the BLE SDKs helping minimize energy output. The vulnerabilities require the attacker to be in physical proximity to the device (within its BLE range). The vulnerable BLE SDKs have been used in over 480 end-user products including fitness tracking bracelets, smart plugs, smart door locks, smart locks, pet trackers, smart home systems, smart lighting solutions, alarm clocks, glucose meters and various other wearables and medical devices. All the relevant vendors have been notified of these vulnerabilities and six of them, who have already patched their SDKs, have been identified in the announcement. Read the full article
Connected medical devices are twice as likely to be vulnerable to the BlueKeep exploit than other devices on hospital networks, putting patients and staff at additional risk from cyber attacks. BlueKeep is a vulnerability in Microsoft's Remote Desktop Protocol (RDP) service which was discovered last year, and impacts Windows 7, Windows Server 2008 R2 and Windows Server 2008. Microsoft issued a patch for BlueKeep after it came to light in May 2019. Despite urgent warnings from security authorities, large numbers of Windows systems and medical devices remain vulnerable to BlueKeep attacks. Recent research discovered that 22% of all Windows devices in a typical hospital are exposed to BlueKeep because they haven't received the relevant patches. And when it comes to connected medical devices running on Windows, the figure rises to 45% – meaning almost half are vulnerable! Read the full article
Regulations for Connected Devices
New NIST recommendations detail the cybersecurity activities that manufacturers should consider performing before they sell their connected devices. The main highlights include:
Identify expected customers and define expected use cases for the devices
- Research customer cybersecurity goals
- Determine how to address customer goals
- Define approaches for communicating with customers
- Decide what to communicate to customers and how to communicate it Read the full article
The Canadian federal government announced an large grant to support a Strategy Council project for setting up cyber standards for connected devices in the electricity sector. The money will help a three-year effort that will include holding a set of cross-country meetings with industry, government, academics and interest groups to create standards, as well as the tools required to be able to test devices against them. In addition, they plan to develop a product repository of safe devices that companies can consult before making purchases. Read the full article
This is What VDOO
We hope you didn't miss any of our weekly blog posts, but here are the ones we posted since our February newsletter just in case you did:
- The Time Is Now: Improving the Security of Connected Medical (IoMT) Devices
- UK Cybersecurity Regulation in the Post-Brexit Era: Here’s What to Expect
- Integrating Security into the Device SDLC Process.
Other than that, we were planning to attend a few events that didn't happen for obvious reasons. We hope you are all staying safe and healthy in these turbulent times!
Share this post