Security News

Sigh. 160,000 un-patched boxen await p0wnage

The very emergency system that is used to warn people is hackable. This means that in a state sponsored or similar attack, the sirens could be disabled or even set off to mislead people and emergency care workers.

The hacks described here disable safety features like airbag, parking sensors, active safety systems. Most cars are affected.

Even the Google Play and App Store apps like Nanny cams, light controllers, thermostats, etc. controlling IoT devices are vulnerable. 90% of application have an average of 15 vulnerabilities. They can be taken over, spied on, manipulated, etc.

The quest to monetize user data ( Facebook is an example) has left many automobile drivers vulnerable. There is no anonymization of Personally Identifiable Data (PII) and no encryption of the data. Finally, as the article shows, mistakes in handling the data are common.
The leakage of data even disclosed where the tracking unit of a stolen car was hidden.

This attack is fundamental to the system we have created for payments: a token is generated and sent to a Point of Sale (PoS) terminal and then forwarded on. A secure session is not established before payment processing starts. The attack boils down to blocking payment token from making it all the way. Attackers can capture and reuse this token.

At least 13,000 compromised IoT devices were used to attack financial sector businesses by a Mirai variant to IoTroop botnet, aka Reaper. 80 percent of compromised MikroTik routers and 20% various IoT devices (i.e. Apache and IIS web servers, webcams, DVRs, TVs, and routers).

A set of vulnerabilities have been discovered in medical device software used for brain monitoring. These vulnerabilities allow remote code execution and also result in a denial of service attack. Note that these are the known vulnerabilities in the device. There is no information about platform, cloud, access, privacy protections, etc.

Siemens' Building Automation Systems can be vulnerable to hacks, some due to vulnerabilities cascading down from vendors who supply critical components. Gemalto's license management system is the source of some of these vulnerabilities.

UAE has the third highest number of cryptominers in MEA region, while KSA ranks first regionally.

The JenX botnet is recruiting Internet of Things (IoT) devices by exploiting two vulnerabilities already popular among IoT botnets.

The survey found that nearly 20 percent of organizations observed at least one IoT-based attack in the past three years

US hospitals have, by far, the largest number of IoT security vulnerabilities.
Challenges in Securing Connected Hospitals - TrendLabs Security Intelligence Blog

CERT has a vulnerability alert on the entire CAN protocol. This protocol is used by all the devices in a computer to talk to each other and control the brakes, engine, etc.

There are 13 fundamental vulnerabilities in the Hanwha SmartCam. Anyone can spy on, hack, control, and disable any of these cameras. The smart camera uses the cloud for all communication between the user's smart phone, tablet, or computer. Moreover, the cloud operator could potentially be storing all the information without any privacy guarantees.

The software monitors everywhere the car has been back as far as 120 days, including a terrifying feature that pinpoints on the map all of the places a driver has visited. There is even an option that will show anyone with login credentials the top stops or locations where the vehicle has been. There is a “recovery mode” that can pinpoint every 2 min or create zone notifications. They claim to have a 99% success rate on recovery but what about when the customer logins and passwords for thousands of unsuspecting drivers are leaked online?

Yet another Intel vulnerability has been found based on Branch Prediction optimization to improve performance. It has an error rate of less than 1% and can be used to extract secret/private keys, even from Intel's secure enclave (SGX). This exploit can be exercised from user space. The only requirement is that they share the same core.

Right now it is ‘JUST’ credit card numbers being stolen. With IoT devices doing everything for us including running pacemakers, garage door openers, ovens, furnaces, etc. the hackers can destroy our lives. This is no longer a financial issue: it can cause people to die.