Connect with us

Home Security

IoT bug report claims “at least 100M devices” may be impacted – Naked Security

Published

on

Here’s another BWAIN, which is our shorthand for Bug With An Impressive Name.

That’s the abbreviation we use for bugs that end up with names, logos and even dedicated websites that are catchy, cool, fancy, important or dramatic, and sometimes even all of these at the same time.

Classic examples of the genre include:

This time, we’re talking about NAME:WRECK, a bunch of somewhat related bugs in the core DNS software used by several different operating systems.

This “bug cluster” features in a report released yesterday by researchers from Forescout and JSOF.

The nickname comes from the word “name” in DNS, combined with the fact all the bugs could theoretically let an attacker crash an affected device, or perhaps worse.

DNS, as you probably know, is short for domain name system, which converts names like nakedsecurity.sophos.com into IP numbers such as 192.0.66.200 [correct at 2021-04-13T16:20Z].

Technically, you can run a TCP/IP network stack without DNS, simply by referring to each device by its network number only.

But even the most limited and self-contained test networks quickly end up crying out for DNS, and if ever you want to hook up your device or devices to the internet, you can consider DNS support a must.

That’s why any TCP/IP device, no matter how tiny and resource-constrained it might be, and any operating system, no matter how much it might have been miniaturised, includes code for what’s known as DNS resolution or DNS lookup.

That code needs to know how to formulate DNS requests, which are compactly encoded binary network packets specified in RFC 1035, published way back in 1987 when every byte really mattered.

DNS lookup code also needs to know how to deconstruct the similarly formatted DNS replies that come back, even though that code didn’t create those packets in the first place, and doesn’t know whether it can trust the person who did.

As you probably know only too well, making sense of binary data, known as parsing in the jargon, is very easy to do badly.

The fact that a program can reliably parse billions of well-formed packets without a hitch doesn’t mean it won’t misbehave when faced with deliberately malformed packets that would never occur in regular use.

As the old joke goes: “A penetration tester walks into a bar and says, ‘4,294,967,297 beers, please’, just to see how good the bartender is.”

The devil’s in the details

The NAME:WRECK report isn’t just one bug or one vulnerability, and all of them date back to last year except for one.

Fortunately, they are all patched (at least one has had an update out for nearly a year already) but together they constitute a worthwhile reminder that even in the modern age, programmers continue to make old-school coding mistakes.

The vulnerabilities that have been lumped together under the NAME:WRECK “brand” were found in three different operating systems.

Two were low-level operating systems, often known as RTOSes (short for real-time operating systems) dedicated to internet-of-things (IoT) devices, namely Nucleus NET from Siemens and NetX from Microsoft.

The third was FreeBSD, widely used as both a mainstream server operating system and as an operating system for embedded devices. (As the name suggests, FreeBSD is available for free, like Linux, but it uses a much more easy-going and liberal open source licence.)

Parsing errors and randomness problems

Six of the bugs involved parsing errors, where the data sent back in DNS replies was carelessly processed, leading to buffer overflows.

Some of these could be exploited to cause the DNS lookup code to read data where it shouldn’t, causing a crash, or denial of service) (DoS).

Others could be exploited not just to read from the wrong place but to write to the wrong place as well, leading to remote code execution (RCE).

RCE generally means that an attacker can quietly inject malware into your computer simply by sending rogue packets, without needing to login first or to know any kind of password.

One bug involved a loop limit bug, where the code added no bytes to a text string, decided that the string wasn’t full yet, and went back for more, vainly adding zero bytes over and over again for ever and ever, in the hope that the string would eventually get longer.

The last bug involved poor randomness, where one-time random numbers added as transaction identifiers into DNS replies were not random enough.

As a result, attackers could create fake DNS replies that would pass muster and perform DNS poisoning on the local device’s stored list of known DNS replies.

By feeding an internet device a list of server names and fake IP numbers, criminals could trick that device into visiting imposter sites, replacing the real IP numbers of well-known servers with IP numbers controlled by the crooks.

The bugs were:

The NAME:WRECK report includes a ninth bug, though this one was actually found back in 2016 by researchers at Exodus Intelligence. Somehow, that bug never received a CVE identifier at the time, but one has been issued retrosepctively, namely CVE-2016-20009. That bug was a buffer overwrite in WindRiver’s IPNet software, apparently leading to remote code execution. We’re not sure if it was ever fixed, or if it’s still exploitable in current IPNet versions. If you are a WindRiver user, we recommend consulting the Exodus report for further details to help you work out if you are vulnerable.

What to do?

As so often, patching is the cure in this case.

Regular FreeBSD users will almost certainly have updated their laptops and servers by now, and almost certainly don’t need to worry.

However, if you have an embedded device based on FreeBSD, you may want to contact the maker of the device for confirmation that the patch has been included in the current device firmware.

Given the media interest in this report, devlopers using Nucleus NET or NetX in their products should consider publishing a note for their customers to say whether their devices are vulnerable or not.

Programmers interested in the sort of the low-level coding errors that led to these bugs might want to take a look at the Forescout/JSOF report, which gives six practical examples of the coding blunders to look for!

This content was originally published here.

Home Security

How to Make a Smart Home | Vector Security

Published

on

What is a Smart Home?

Creating a smart home means using technology that saves you time and money, while also adding comfort and convenience to your lifestyle in a secure environment. Equipping your home with smart home technology solutions allows you to employ devices to help you do things like:

There are a variety of ways to outfit your home with the latest technology to support your smart home. When choosing smart home products for your home, you want to make sure that they are compatible with one another so you enjoy the benefits of a true smart home ecosystem and are designed with security in mind.

How to Automate Your Home

Home automation transforms your home to respond to your unique schedule or even to your changing mood. Using the modes feature in the Vector Security app, you can create automatic settings for your lighting, locks and thermostat. The following devices should be at the top of your list when automating your home:

Smart Door Locks

Smart door locks allow you to remotely lock or unlock your doors using your smart phone. This feature can be a highly convenient way to let visitors in when you’re not home, lock doors that you forgot to secure, and help reduce lockouts. You can also give personal access codes to pet walkers, guests and other visitors. You can even create scenes that will disarm your system when you unlock your door.

Smart Lighting

Imagine that the power of saving money on your energy bill is in the palm of your hands. With smart lighting, the dream becomes reality through home automation. Control your lights with your smart device or set them on a schedule that fits your lifestyle. Smart lighting even enables you to give the appearance that you are coming into a lit home at night if you have been away.

Smart Doorbell Camera

The smart doorbell camera is perhaps one of the most popular smart home products. That’s because they let you see and talk to your visitor without having to be home or opening the door. When you’re waiting on that package to arrive, let your smart doorbell camera be your eyes and ears while you run errands.

Smart Thermostat

The smart thermostat allows for another level of energy efficiency and the comfort of conveniently controlling the temperature of your home from your smartphone. Adding the smart thermostat to your smart home lighting package allows you to leverage the power of controlling your home’s energy ecosystem through one convenient app.

Smart Home Video Cameras

Using video cameras to capture what’s going on within and around your home can offer peace of mind. You’ll know when your kids get home, what your pets are up to and who’s at your front door. And you receive alerts from the Vector Security App when incidents occur.

Mobile Security

Give yourself the extra level of convenience and protection of being able to track and control all of the smart devices in your home with the Vector Security app. Gone are the days where you have to be home to know what’s going on. Even when you are home, the app gives you the peace of mind to know that your home is being monitored 24/7 through our monitoring center, that can dispatch emergency officials if needed.

The Benefits of Home Automation

A smart home is the most efficient when all connected devices work together seamlessly, with you at the center of command, controlling it all from one mobile app, you can create a smart home ecosystem that fits your lifestyle and budget.

For help choosing the right smart home package for you, contact us, for a professional smart home design consultation.

This content was originally published here.

Continue Reading

Home Security

Boundary Launch DIY Z-Wave Smart Home Security System – Automated Home

Published

on

After hitting their Kickstarter funding target in just 48 hours back in June 2019, Edinburgh-based startup Boundary have just launched their new smart home security system.

Installation & Monitoring

The DIY version of the alarm system can be self installed and with the professional installation option it can be Police monitored too.

Having passed a programme of rigorous pre compliance testing, Boundary is currently pending certification (expected to be signed off end Q1) to Grade 2 UK & European alarm testing standards, which not only means that the alarm is robust and performs reliably, but that it is also tamper-proof to would-be burglars. Grade 2 certification is also one of the requirements of insurers as well as the police for an automatic level 1 priority response.

Boundary say the alarm can be fully controlled from a smart-phone, and operates on Z-wave radio standard.

The DIY system is compatible with Amazon Alexa and the Google Assistant. Philips Hue integration is listed on the Boundary website too and this appears to be via IFTTT rather than built in Zigbee.

It would be good to see a link up with some smart locks and Boundary say this is on their list of potential integrations to consider.

The Boundary systems uses “industry standard X.509 and TLS” for end-to-end encryption of data and promises over-the-air security updates too.

Unlike similar products of its kind, Boundary is built to last, with a lifespan of seven years. What’s more, the system uses advanced algorithms and technology to check the system remotely, including battery life (CR123A batteries) which, in the sensors, should last over a year.

I don’t think I’ve ever seen another product with such an honest statement as “lifespan of seven years”. We asked boundary what this means exactly and they told us

[The system has a] 12 month warranty, 3 year extended with Plus or Pro plan, the System is designed with 7 year minimum lifetime specification in terms of quality component selection

Boundary say their security systems will become the only smart alarm in the UK accurate enough to provide an automatic police response and the only truly ‘smart’ alarm system to meet UK and European alarm standards.

Check out the link and the video below to learn more.

Interesting that Boundary’s monitored system is priced at £25 per month. We have a monitored ADT system and that’s what their monthly charge was when it was first installed – 27 years ago. Now with regular cost of living increases it’s £47 pm! I’d been looking around for an alternative, more integrated system so this article is timely Mark . Thanks

This content was originally published here.

Continue Reading

Home Security

99% of Security Pros Struggling to Secure Their IoT & IIoT Devices

Published

on

Organizations are increasingly introducing new Internet of Things (IoT) devices into their environments. According to Statista, the aggregate number of IoT devices deployed by organizations globally increased from 7.74 billion in 2019 to around 8.74 billion a year later. The market and consumer data firm reported that the next few years will see growth in all types of IoT devices, including Industrial Internet of Things (IIoT) offerings like smart monitors. It wrote that connected devices are expected to grow from 10.07 billion in 2021 to 25.44 billion by 2030.

This growth raises an important question: how are security professionals feeling about this projected influx of IoT and IIoT devices? Do they feel confident in their ability to secure these additional products? What approaches are they using to fuel their security efforts?

To answer this question, Tripwire partnered with Dimensional Research to conduct a survey between March 3 and March 10, 2021 of individuals who were directly responsible for IoT security at their company. Their responses helped to illuminate the approaches, challenges and opinions of security professionals toward connected devices in their enterprise environments and industrial infrastructure.

Challenges with Securing Devices

Of the 312 security professionals who participated in the survey, 99% of them informed Tripwire that they had encountered challenges in the process of securing their organization’s IoT and IIoT devices. Two-thirds of those respondents said that they had experienced difficulty in their attempts to discover and remediate vulnerabilities. They were followed closely by those who encountered issues in tracking an inventory of their IoT devices (60%), validating compliance with security policies (58%), establishing secure configurations (56%) and detecting changes on those devices (55%). More than a third (37%) of security professionals also revealed that they had a hard time gathering forensic data after a detected incident.

Acknowledging those challenges, it’s not surprising that 53% of survey participants said that they were somewhat concerned about the risks associated with those devices. Another 42% of respondents indicated that they were very concerned about those security risks.

Tripwire asked those security professionals to expand upon those risks. In the process, more than three quarters of respondents clarified that they were worried their organization’s connected devices didn’t fit within their existing security approach, with 88% fearful that they would need additional resources to adequately meet the needs of their organization’s IoT and IIoT devices.  

These concerns deepened among industrial-minded survey participants. Indeed, 53% of those respondents said that they lacked the ability to fully monitor newly connected systems.

Tim Erlin, vice president of product management and strategy at Tripwire, explained that this finding highlights the need for industrial cybersecurity professionals to gain a better understanding of what’s going on in their environments:

The industrial sector is facing a new set of challenges when it comes to securing a converged IT-OT environment. In the past, cybersecurity was focused on IT assets like servers and workstations, but the increased connectivity of systems requires that industrial security professionals expand their understanding of what’s in their environment. You can’t protect what you don’t know.

Securing the Industrial Supply Chain

That wasn’t the only visibility issue that respondents brought up with Tripwire.

Indeed, 61% of industrial cybersecurity professionals said that they didn’t have visibility into the types of changes that security vendors in their supply chain might be experiencing. A majority (97%) of those survey participants said that they therefore had concerns about the security of their supply chain. More than four-fifths (87%) of them said that they were specifically worried about the supply chain security risks introduced by existing IoT and IIoT security guidelines.

Erlin wasn’t surprised to learn of this:

It’s understandable that managing supply chain risk is top of mind for industrial security teams given the level of attack we have seen this year. Large-scale supply chain risk isn’t new, so if anything, this should encourage companies to invest in resources that help maintain a more secure environment.

It appears that some companies are heeding Erlin’s advice. More than half (59%) of respondents explained that their organization’s budget for managing supply chain security had increased in the past year. That spending could support the 88% of security professionals who are already using PCI, NIST as well as other standards and frameworks to secure their supply chains. Even so, that didn’t prevent professionals in a variety of industrial sectors from stating that their organizations would benefit from expanded security industrial control systems (ICS) standards.

How Tripwire Can Help

Organizations can work with Tripwire to evaluate the security of their connected devices. Using security assessments, Tripwire can evaluate those devices for security risks and vulnerabilities that exist in those devices’ physical construction as well as for potential weaknesses in the ways in which organizations have configured them. Learn more about those assessments here.

To download the full survey results, click here: https://www.tripwire.com/misc/iot-and-iiot-cybersecurity-report

This content was originally published here.

Continue Reading

Trending

AutomateMyHome

Subscribe to AMH Daily Updates

Get the best news, expert tips and product reviews everyday!