Connect with us

Home Security

Microsoft Discovers 25 Critical Vulnerabilities in IoT Security Affecting Google, Amazon, Samsung, and Other Devices, SDKs and Libraries

Published

on

Microsoft Section 52 research team discovered 25 critical vulnerabilities affecting various internet of things (IoT) and operational technology (OT) devices.

The Azure Defender for IoT security group warned that threat actors could exploit the critical memory allocation vulnerabilities to bypass various security controls and execute malicious codes remotely.

The security flaws dubbed “BadAlloc” affect several vendors’ devices in a wide range of domains including consumer electronics, medical IoT, and industrial control (ICS) systems.

Lack of input validation responsible for IoT security critical vulnerabilities

Microsoft’s research team noted that various IoT device vendors failed to implement input validation allowing attackers to inject malicious code.

“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations,” the report stated. “Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.”

The researchers added that the critical memory allocation vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and others to allocate memory.

The IoT security critical vulnerabilities can be triggered by calling the vulnerable function and passing a parameter from an external input, for example, malloc(MALICIOUS_INPUT). The parameter must be large enough to trigger an overflow, system crash, or a workaround.

Memory allocation problem systemic across devices and implementations

The researchers found that the memory allocation problem persisted across various areas including the C standard library (libc), real-time operating systems (RTOS), and embedded software development kits (SDKs).

Microsoft researchers noted that they had not observed real-world exploitation of the IoT security critical vulnerabilities. However, they noted that if successfully exploited, they posed significant risks to all types of organizations.

Microsoft informed the Department of Homeland Security’s Critical Infrastructure and Security Agency (DHS-CISA) of the IoT security critical vulnerabilities. They also disclosed their findings to device vendors allowing them to further investigate the problem.

DHS-CISA released a list of vulnerable devices, including Amazon, ARM, Samsung, Texas Instruments, among others. Affected SDKs include Google Cloud IoT Device SDK and Media Tek LinkIt SDK before v. 4.6.1. Real-time and IoT operating systems containing BadAlloc bugs include Amazon FreeRTOS, v. 10.4.1, Samsung Tizen RT RTOS before version 3.9.GBB, and Apache Nuttx OS, Version 9.1.0.

Some vendors uninterested in patching the IoT security flaws

Fifteen devices released patches for the critical IoT security flaws, while others have planned fix releases.

Surprisingly, some device vendors do not plan to patch the exposed IoT security critical vulnerabilities. However, system administrators can apply various mitigations recommended by CISA and Microsoft for minimizing network exposure.

Suggested mitigations include network segmentation, isolating vulnerable networks and devices, and setting various firewall rules.

The researchers also recommended continuous network monitoring for suspicious behaviors such as requests to unknown remote hosts.

Additionally, network administrators could disconnect OT devices or use VPNs with an additional layer of security, such as multi-factor authentication. The extra security layer is necessary because VPN appliances could have various critical vulnerabilities, thus further exposing the networks.

Commenting on IoT security flaws, Tal Ben-David, VP R&D and co-founder of Karamba Security, said:

“Manufacturers can’t assert that such third-party OS and libraries are black boxes to them. Given the mission critical and life, risking devices that are affected by the reported vulnerabilities, IoT and Edge device manufacturers can leverage the deterministic nature of such devices and protect them against the exploitation of hidden issues in their binaries and in the OS and third-party software that they use.”

He suggested that organizations could prevent threat actors from exploiting the IoT security vulnerabilities by “adding deterministic runtime defense controls” such as data execution prevention and control flow integrity.

“Most of the announced vulnerabilities will not be trivial to exploit (only one of them received a Critical CVSS score),” Ilya Khivrich, Chief Scientist at Vdoo, said. “More importantly, the practical exploitability of the vulnerabilities will depend on the code using the memory allocation libraries which in which the bugs were found.”

Khivrich added that the discovery of the 25 critical vulnerabilities highlighted the importance of understanding the software components present in devices and their configurations.

“The discovered vulnerabilities cover quite a large range of platforms commonly used in IoT devices, and verifying the used library versions and applying updates or patches will be the most important step. In order to identify similar additional vulnerabilities in these and other libraries, companies should use in-depth testing techniques such as API fuzzing.”


Microsoft found 25 #IoT critical vulnerabilities originating from vulnerable SDKs, real-time operating systems (RTOS), and the C standard library. #cybersecurity #respectdata

Click to Tweet

“The vulnerabilities presented by Microsoft’s Section 52 affecting the memory allocators are a perfect example of how security issues that have been solved in consumer operating systems years ago, are still very present in the OT world,” said Andrea Carcano, Co-Founder of Nozomi Networks.

This content was originally published here.

Home Security

How to Make a Smart Home | Vector Security

Published

on

What is a Smart Home?

Creating a smart home means using technology that saves you time and money, while also adding comfort and convenience to your lifestyle in a secure environment. Equipping your home with smart home technology solutions allows you to employ devices to help you do things like:

There are a variety of ways to outfit your home with the latest technology to support your smart home. When choosing smart home products for your home, you want to make sure that they are compatible with one another so you enjoy the benefits of a true smart home ecosystem and are designed with security in mind.

How to Automate Your Home

Home automation transforms your home to respond to your unique schedule or even to your changing mood. Using the modes feature in the Vector Security app, you can create automatic settings for your lighting, locks and thermostat. The following devices should be at the top of your list when automating your home:

Smart Door Locks

Smart door locks allow you to remotely lock or unlock your doors using your smart phone. This feature can be a highly convenient way to let visitors in when you’re not home, lock doors that you forgot to secure, and help reduce lockouts. You can also give personal access codes to pet walkers, guests and other visitors. You can even create scenes that will disarm your system when you unlock your door.

Smart Lighting

Imagine that the power of saving money on your energy bill is in the palm of your hands. With smart lighting, the dream becomes reality through home automation. Control your lights with your smart device or set them on a schedule that fits your lifestyle. Smart lighting even enables you to give the appearance that you are coming into a lit home at night if you have been away.

Smart Doorbell Camera

The smart doorbell camera is perhaps one of the most popular smart home products. That’s because they let you see and talk to your visitor without having to be home or opening the door. When you’re waiting on that package to arrive, let your smart doorbell camera be your eyes and ears while you run errands.

Smart Thermostat

The smart thermostat allows for another level of energy efficiency and the comfort of conveniently controlling the temperature of your home from your smartphone. Adding the smart thermostat to your smart home lighting package allows you to leverage the power of controlling your home’s energy ecosystem through one convenient app.

Smart Home Video Cameras

Using video cameras to capture what’s going on within and around your home can offer peace of mind. You’ll know when your kids get home, what your pets are up to and who’s at your front door. And you receive alerts from the Vector Security App when incidents occur.

Mobile Security

Give yourself the extra level of convenience and protection of being able to track and control all of the smart devices in your home with the Vector Security app. Gone are the days where you have to be home to know what’s going on. Even when you are home, the app gives you the peace of mind to know that your home is being monitored 24/7 through our monitoring center, that can dispatch emergency officials if needed.

The Benefits of Home Automation

A smart home is the most efficient when all connected devices work together seamlessly, with you at the center of command, controlling it all from one mobile app, you can create a smart home ecosystem that fits your lifestyle and budget.

For help choosing the right smart home package for you, contact us, for a professional smart home design consultation.

This content was originally published here.

Continue Reading

Home Security

Boundary Launch DIY Z-Wave Smart Home Security System – Automated Home

Published

on

After hitting their Kickstarter funding target in just 48 hours back in June 2019, Edinburgh-based startup Boundary have just launched their new smart home security system.

Installation & Monitoring

The DIY version of the alarm system can be self installed and with the professional installation option it can be Police monitored too.

Having passed a programme of rigorous pre compliance testing, Boundary is currently pending certification (expected to be signed off end Q1) to Grade 2 UK & European alarm testing standards, which not only means that the alarm is robust and performs reliably, but that it is also tamper-proof to would-be burglars. Grade 2 certification is also one of the requirements of insurers as well as the police for an automatic level 1 priority response.

Boundary say the alarm can be fully controlled from a smart-phone, and operates on Z-wave radio standard.

The DIY system is compatible with Amazon Alexa and the Google Assistant. Philips Hue integration is listed on the Boundary website too and this appears to be via IFTTT rather than built in Zigbee.

It would be good to see a link up with some smart locks and Boundary say this is on their list of potential integrations to consider.

The Boundary systems uses “industry standard X.509 and TLS” for end-to-end encryption of data and promises over-the-air security updates too.

Unlike similar products of its kind, Boundary is built to last, with a lifespan of seven years. What’s more, the system uses advanced algorithms and technology to check the system remotely, including battery life (CR123A batteries) which, in the sensors, should last over a year.

I don’t think I’ve ever seen another product with such an honest statement as “lifespan of seven years”. We asked boundary what this means exactly and they told us

[The system has a] 12 month warranty, 3 year extended with Plus or Pro plan, the System is designed with 7 year minimum lifetime specification in terms of quality component selection

Boundary say their security systems will become the only smart alarm in the UK accurate enough to provide an automatic police response and the only truly ‘smart’ alarm system to meet UK and European alarm standards.

Check out the link and the video below to learn more.

Interesting that Boundary’s monitored system is priced at £25 per month. We have a monitored ADT system and that’s what their monthly charge was when it was first installed – 27 years ago. Now with regular cost of living increases it’s £47 pm! I’d been looking around for an alternative, more integrated system so this article is timely Mark . Thanks

This content was originally published here.

Continue Reading

Home Security

99% of Security Pros Struggling to Secure Their IoT & IIoT Devices

Published

on

Organizations are increasingly introducing new Internet of Things (IoT) devices into their environments. According to Statista, the aggregate number of IoT devices deployed by organizations globally increased from 7.74 billion in 2019 to around 8.74 billion a year later. The market and consumer data firm reported that the next few years will see growth in all types of IoT devices, including Industrial Internet of Things (IIoT) offerings like smart monitors. It wrote that connected devices are expected to grow from 10.07 billion in 2021 to 25.44 billion by 2030.

This growth raises an important question: how are security professionals feeling about this projected influx of IoT and IIoT devices? Do they feel confident in their ability to secure these additional products? What approaches are they using to fuel their security efforts?

To answer this question, Tripwire partnered with Dimensional Research to conduct a survey between March 3 and March 10, 2021 of individuals who were directly responsible for IoT security at their company. Their responses helped to illuminate the approaches, challenges and opinions of security professionals toward connected devices in their enterprise environments and industrial infrastructure.

Challenges with Securing Devices

Of the 312 security professionals who participated in the survey, 99% of them informed Tripwire that they had encountered challenges in the process of securing their organization’s IoT and IIoT devices. Two-thirds of those respondents said that they had experienced difficulty in their attempts to discover and remediate vulnerabilities. They were followed closely by those who encountered issues in tracking an inventory of their IoT devices (60%), validating compliance with security policies (58%), establishing secure configurations (56%) and detecting changes on those devices (55%). More than a third (37%) of security professionals also revealed that they had a hard time gathering forensic data after a detected incident.

Acknowledging those challenges, it’s not surprising that 53% of survey participants said that they were somewhat concerned about the risks associated with those devices. Another 42% of respondents indicated that they were very concerned about those security risks.

Tripwire asked those security professionals to expand upon those risks. In the process, more than three quarters of respondents clarified that they were worried their organization’s connected devices didn’t fit within their existing security approach, with 88% fearful that they would need additional resources to adequately meet the needs of their organization’s IoT and IIoT devices.  

These concerns deepened among industrial-minded survey participants. Indeed, 53% of those respondents said that they lacked the ability to fully monitor newly connected systems.

Tim Erlin, vice president of product management and strategy at Tripwire, explained that this finding highlights the need for industrial cybersecurity professionals to gain a better understanding of what’s going on in their environments:

The industrial sector is facing a new set of challenges when it comes to securing a converged IT-OT environment. In the past, cybersecurity was focused on IT assets like servers and workstations, but the increased connectivity of systems requires that industrial security professionals expand their understanding of what’s in their environment. You can’t protect what you don’t know.

Securing the Industrial Supply Chain

That wasn’t the only visibility issue that respondents brought up with Tripwire.

Indeed, 61% of industrial cybersecurity professionals said that they didn’t have visibility into the types of changes that security vendors in their supply chain might be experiencing. A majority (97%) of those survey participants said that they therefore had concerns about the security of their supply chain. More than four-fifths (87%) of them said that they were specifically worried about the supply chain security risks introduced by existing IoT and IIoT security guidelines.

Erlin wasn’t surprised to learn of this:

It’s understandable that managing supply chain risk is top of mind for industrial security teams given the level of attack we have seen this year. Large-scale supply chain risk isn’t new, so if anything, this should encourage companies to invest in resources that help maintain a more secure environment.

It appears that some companies are heeding Erlin’s advice. More than half (59%) of respondents explained that their organization’s budget for managing supply chain security had increased in the past year. That spending could support the 88% of security professionals who are already using PCI, NIST as well as other standards and frameworks to secure their supply chains. Even so, that didn’t prevent professionals in a variety of industrial sectors from stating that their organizations would benefit from expanded security industrial control systems (ICS) standards.

How Tripwire Can Help

Organizations can work with Tripwire to evaluate the security of their connected devices. Using security assessments, Tripwire can evaluate those devices for security risks and vulnerabilities that exist in those devices’ physical construction as well as for potential weaknesses in the ways in which organizations have configured them. Learn more about those assessments here.

To download the full survey results, click here: https://www.tripwire.com/misc/iot-and-iiot-cybersecurity-report

This content was originally published here.

Continue Reading

Trending

AutomateMyHome

Subscribe to AMH Daily Updates

Get the best news, expert tips and product reviews everyday!