Device Security Newsletter - May 2020
At a Glance
We hope our newsletter finds you and your loved ones safe and healthy in these crazy times. Despite everything, life continued in April with some very interesting developments!
Dark Nexus is the name of a new emerging IoT botnet that is used to launch DDoS attacks. The botnet spreads using exploits and launching credential stuffing attacks against a broad range of IoT devices including routers, video recorders, and thermal cameras.
If your business makes “smart” devices, you’ll want to read about Tapplock’s settlement with the FTC. It’s one more example why businesses in the connected products space need to start thinking about privacy and security in the design phase, and never wait until later on in the process.
As always, the VDOO team is here to answer any questions you may have about achieving optimal security for your connected products in general, or about any of the issues listed below in particular. Our thoughts are with our readers so keep well!
Attacks on Connected Devices
A new IoT botnet, nicknamed Dark Nexus, has features and capabilities that are way more advanced than most of the IoT botnets and malware we've seen so far. Although it reuses some Qbot and Mirai code, its core modules are mostly original, as well as more potent.
It spreads using exploits and launching credential stuffing attacks against a broad range of IoT devices, including routers (from Dasan Zhone, Dlink, and ASUS), video recorders, and thermal cameras. Dark Nexus appeared in the threat landscape earlier this year and is composed of hundreds of infected devices in China, South Korea, Thailand, Brazil, and Russia.
The good news (at least for VDOO's customers) is that our platform can immediately stop the botnet by blocking its executable, even if the device’s telnet password were brute-forced successfully!
Organizations in the Israeli water sector faced a series of cyberattacks that targeted the water facilities. The National Cyber Directorate announced that they received reports of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities.
Organizations were recommended to implement supplementary security measures to protect SCADA systems used in the water and energy sectors, as well as immediately change the passwords of control systems exposed online, ensure that their software is up to date, and reduce their exposure online. The good news is that according to the Water Authority report, the attacks did not impact operations at the facilities.
Vulnerabilities in Connected Devices
Various Toyota Display Control Units (2017 model year) were reported to be triggered by the BlueBorne vulnerability which allows unauthenticated attackers to cause Denial of Service or execute arbitrary commands on the DCU, although critical vehicle controls such as driving, turning and stopping are not affected.
Several smart IoT hubs for homes and offices - the Fibaro Home Center Lite, eQ-3's Homematic Central Control Unit (CCU2) and ElkoEP's eLAN-RF-003 - were found to contain severe flaws that are dangerous enough to trigger remote code execution (RCE), command injection, data leak and MitM attacks.
The popular Netatmo Smart Indoor Security Camera was found to be susceptible to an authenticated file write which can lead to command execution (CVE-2019-17101), as well as to a privilege escalation via dirtyc0w – a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem.
Regulations for Connected Devices
Tapplock is an IoT company that sells Internet-connected fingerprint-enabled padlocks called smart locks which interact with an app that lets users lock and unlock their smart locks when they’re within Bluetooth range. They advertised them as having an “unbreakable design” and being “Bold. Sturdy. Secure.” and that it took “reasonable precautions” and followed “industry best practices” to protect personal information.
But according to the FTC’s complaint Tapplock’s smart locks were not secure. In fact, a researcher was able to open one within seconds simply by unscrewing the back panel. Others discovered several security vulnerabilities such as bypassing authentication to gain full account access, locking and unlocking the device through unencrypted communications and more.
Just a few simple steps is all it would have taken them to avoid this embarrassment starting with security by design. Not to mention the settlement which banned them from making deceptive statements, required them to implement a comprehensive security program, as well as annual compliance certifications through third-party assessments.
This is What VDOO
In case you missed our latest blog posts, you can read them on our website - Head-to-Head: Penetration testing vs. vulnerability scanning and Smarter Black-box Fuzzing of Industrial Communication Protocols.
Stay safe and healthy in these turbulent times. May the summer bring you light and happiness!
Share this post