Attacks/Breaches

9/16/2016
02:35 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

IoT Village at DEF CON 24 Uncovers Extensive Security Flaws in Connected Devices

Researchers Discover 47 New Security Vulnerabilities across 23 Devices and 21 Manufacturers; Executive Leadership from FTC and FCC Weigh in.

BALTIMORE, MD – September 14, 2016. New dangers in both home security and municipal power facilities were revealed as the results of the 2nd Annual IoT Village, which was held at DEF CON 24, were released today by Independent Security Evaluators (ISE) who organized the event. More than 47 new vulnerabilities were discovered across 23 different devices from 21 brand name manufacturers.

Amongst many, one of the most unnerving exploits was presented by researcher Fred Bret-Mounet, who showed an attacker could shut down the equivalent of a small to mid-sized power generation facility by accessing the flaw in solar panels manufactured by Tigro Energy.

In another, researcher Anthony Rose discovered that 75% of the smart locks he investigated could be easily compromised, letting an attacker open the lock on a victim’s front door. Another researcher, who goes by the handle “jmaxxz,” discovered a series of vulnerabilities with August locks which, if exploited, would mean that “anyone you've ever let use your phone, or ever given access to your home as a guest via your smart lock could enter your home without your knowledge or permission.” he said. Smart locks are one of the fastest growing consumer products serving the smart home.

Afflicted manufacturers this year included global enterprises such as Samsung, Subaru, and Trane, as well as smaller startups such as QuickLock, Elecycle, and Blossom. Vulnerabilities ranged from fundamental design flaws such as use of plaintext passwords and hard coded passwords, to susceptibility to longstanding attack techniques such as buffer overflows, and command injection.

Between talks, workshops, and onsite hacking contests, IoT Village’s goal is to uncover security vulnerabilities in order to draw attention to the need for greater security considerations in the devices that comprise the Internet of Things (IoT). Since its inception as platform for security research, IoT Village has discovered security flaws in 50 devices from 39 different manufacturers.

“In the past two years, IoT Village has uncovered 113 critical, previously unknown vulnerabilities across both consumer and business products from some of the largest brand names in the world,” said Ted Harrington, Executive Partner at ISE and one of the organizers of IoT Village. “These discoveries are significant contributions to security research but also illustrate the pressing need for security improvements in IoT devices.” IoT Village has proven so successful that it is now held at security events all across the country beyond just DEF CON.

This year, IoT Village caught the attention of the federal government. Rear Admiral (ret.) David Simpson, a Bureau Chief of the Federal Communications Commission, spoke at the event and noted that IoT Village is taking strides towards “making things harder” for attackers, by putting the spotlight on these issues. Terrell McSweeny, commissioner of the Federal Trade Commission, also spoke at IoT Village, discussing the FTC’s law enforcement actions challenging inadequate data security in connected devices. “We believe that improved security is going to be achieved through a synergy between government, manufacturers, and the security community,” added Harrington. “The contributions of both Admiral Simpson and Commissioner McSweeny are invaluable to that effort.”

IoT Village next runs at DerbyCon, from Sept 21-25 in Louisville, KY. More information about IoT Village can be found at the official event website.

About IoT Village
IoT Village is a traveling security event focused on highlighting and resolving security flaws in the connected devices that comprise the Internet of Things (“IoT”). It is composed of talks, workshops, live hacking demos, and an onsite hacking contest. In its 2015 debut, IoT Village served as a platform to publish 66 previously unknown critical security vulnerabilities across 27 different devices types and 18 different manufacturers.

About ISE
Founded in 2005 out of the PhD program at the Johns Hopkins’ Information Security Institute, ISE is a security consulting firm comprised of hackers, computer scientists, reverse engineers, and cryptographers who help companies defend against sophisticated adversaries through manual, white box security assessments. ISE is widely recognized as being the first company to hack the iPhone.

Contact:
Ted Harrington Independent Security Evaluators
[email protected] Baltimore, MD, USA
+1 (443)-270-2296

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.