Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Unsecured IoT: 8 Ways Hackers Exploit Firmware Vulnerabilities
Newest First  |  Oldest First  |  Threaded View
SivanRauscher
50%
50%
SivanRauscher,
User Rank: Author
9/15/2019 | 3:19:46 AM
Firmware updates
With new legislations being passed and manufacturers taking security more seriously I do believe IoT devices will build basic security into their devices but they have the the expertise, research and technology to stay on top of cyber security attacks and threats for this security to provide complete protection.

There needs to be more. 
DCNats2012
50%
50%
DCNats2012,
User Rank: Author
8/30/2019 | 12:02:37 PM
Re: VoIP and Printers
I recall from my early work with Voip the tech team amused themselves by downloading commical ring tones to unsuspecting users and their desktop phones.  Can you imagine the negative impact to any brand after an unauthorized action of a device in a home? in the workplace?  Service providers need to wiegh the risks of bad press or worse before deploying unverified devices.  
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2019 | 1:24:21 PM
Re: A deeper resolve to the problem other than just patching
"since the apps or modules are outside of the kernel, then why not containerize the application so it does not affect the kernel or firmware"

This is really a good idea. Containers can isolate certain module so impact is minimized.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2019 | 1:22:30 PM
Re: A deeper resolve to the problem other than just patching
" most vendors don't encrypt firmware, but there is a methodology called HiTrust "

I think they should give a real thought how to encrypt the firmware. They should be able to keep updates coming  too.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2019 | 1:20:43 PM
Re: A deeper resolve to the problem other than just patching
"adding a password to the firmware is a good solution but any changes made to the firmware that is not part of their release"

I agree with this. However, as it is the case in all other system the firmware could still be compromised if we do not manage the password properly.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2019 | 1:08:07 PM
Re: A deeper resolve to the problem other than just patching
yes update the firmware whenever possible, but take it to another level just like the individuals from "Black-Hat" are doing, look into the binary and hex code to see if there is something there This makes sense. Manufacturers should keep their firmware up to date at all times. Like automated updates.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/29/2019 | 1:05:43 PM
VoIP and Printers
We have known for long time that VoIP and printers are not designed security in mind, so it is not surprising that they were easily hacked.
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/27/2019 | 1:12:39 PM
A deeper resolve to the problem other than just patching
Where I do agree with you that there are numerous vulnerabilities and exploits that we need to address, I do think (much like the end-user) that the ways you mentioned only address the surface, I would say why not delve into the process if we are going to talk about it:
  • Firmware - I am not sure talking with the vendor is going to do anything about making a change, we need to put together a concerted effort where people and organizations from all over a saying the same thing but making it public (Similar to what Google is doing with "Project-X", yes update the firmware whenever possible, but take it to another level just like the individuals from "Black-Hat" are doing, look into the binary and hex code to see if there is something there
  • Unauthenticated access - adding a password to the firmware is a good solution but any changes made to the firmware that is not part of their release (by going to the web and verifying the firmware is at the correct revision level and use a SHA256 hash to verify it is the correct type
  • Authentication - if a user can access the physical device, then it is almost too late, but after a firmware flash, they can get to it from across the world, then that is something entirely different. We need to look into our NGFW (next-gen firewall) or NAC device to determine if the person accessing it is credible or not.
  • Password hashes - why doesn't the hash change randomly, it does not have to change every 30 seconds but within a week's time
  • Encryption keys - most vendors don't encrypt firmware, but there is a methodology called HiTrust so if the firmware does not come from a trusted source and the SHA256 hash has not been verified, then the upgrade process should not be applied. And if someone wanted to access the keys, the keys should have limited time or the number of times should be limited before using this key
  • Buffter-Overflows - this can be addressed with error-codes/handling and dumps that allow manufacturers to review the code at a later time
  • Debugging services - the user should be allowed to enable debugging services but there should be a finite amount of time it is to be used and if it is turned on, then it should be sent to the OEM (original equipment manufacturer)
  • Debugging transmission - the OEM should think about using IPv6 as part of their transmission process where information about the device is submitted in a secure environment using IPSec AES256 ESP/AH VPN connections using to transmit data back to the device in a secure form, anything outside of the local network or OEM that provides a notification before proceeding (similar to what NAC devices do)
  • Finally, since the apps or modules are outside of the kernel, then why not containerize the application so it does not affect the kernel or firmware (zone 0, or zone N+1), this could be an option.

Todd


Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.
CVE-2019-20391
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20392
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20393
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.