June’s smart home cybersecurity news roundup includes 19 zero-day vulnerabilities in IoT devices, vulnerabilities found in a popular networking brand’s devices, and malware affecting macOS users.
Ripple20 brings 19 new zero-day vulns for IoT devices
19 new zero-day vulnerabilities have been detected in relation to the Treck TCP/IP stack, a TCP/IP protocol suite designed for embedded systems, putting hundreds of millions of systems at risk. These vulnerabilities are CVE-2020-11896 RCE and CVE-2020-11898 Info Leak.
The vulnerabilities were first discovered by Israeli-based cybersecurity firm JSOF, who specializes in IoT security as well as automotive, media, embedded devices, and mobile devices fields, as well as general-purpose computing.
The vulnerable device libraries can be found in ground transportation, government and national security sectors, oil and gas, aviation, power grids, and medical, home, industrial, networking, enterprise, retail, and other IoT devices.
The vulnerabilities can be exploited for remote code execution, denial of service attacks, stealing data, and more. Each vulnerability ranges between critical and high severity.
“The risks inherent in this situation are high. Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks.” [JSOF]
“As concerning as these 19 vulnerabilities are, this report highlights an often overlooked security concern: vendors reusing and repurposing common software libraries,” says Scott Caveza, research engineering manager at cybersecurity firm Tenable Inc.
“This practice creates challenges when it comes to identifying and patching logic and security issues in code, as it becomes a vendor-specific issue. A fix for one vulnerability might have multiple solutions from various vendors, and it’s possible specific patch attempts could open up additional attack vectors if not properly implemented.”
Device manufacturers can address these issues by following long-standing best practices such as enabling exploit mitigations in their build processes, performing security-oriented code reviews, and hiring a specialized firm to perform a device security analysis. This is not new advice but the latter two at least would add costs to the development of devices.
Without device manufacturers choosing to start caring about device security, operators need to treat most embedded devices as a potential security risk and design their network defenses accordingly: limit access to the bare minimum number of ports required for the system's operation and only from trusted sources, and get some visibility into the device’s behavior. A hacked device's network usage profile will change—find a way to get eyes on it.
#Ripple20 is bound to happen again. What can manufacturers do to prepare for "Ripple21"?
— JSOF Cyber Security (@JSOF18) June 30, 2020
#1 Invest in exploit mitigations
#2 Pen-testing, secure code review, SDL process
#3 Streamline disclosure process, consider SBOM
Best thing operators can do? Ask suppliers for the above!
Zero-day vulnerability found in 79 NETGEAR devices
A new firmware vulnerability revealed by cybersecurity company GRIMM could allow 79 NETGEAR routers and modems dating back as far as 2007 to become compromised.
The vulnerability directly affects how NETGEAR devices handle incoming data and could allow cybercriminals to bypass the router’s authentication process. This would allow the hacker a complete takeover of the network and any devices connected to it.
It’s been reported that 758 different firmware versions contain the vulnerability and that NETGEAR has been exposed because of a “lack of testing” according to Adam Nichols, the head of the Software Application Security team at GRIMM. He says NETGEAR isn't validating the user input for its administration panel properly and isn’t protecting against buffer overflow attacks by using “stack cookies” and compiling its web server code using Position-independent Executable (PIE).
As of June 22, Nathan Papadopulos, Global Communications and Strategic Partner Marketing at NETGEAR, spoke with Matthew Humphries from PC Magazine about the steps NETGEAR is taking to mitigate the issue. He says that the first firmware patches are starting to roll out, most notably for the R6400 and R6700-model routers.
Screenshot from Amazon.com on July 2, 2020
The patch releases are, for now, beta fixes, and "could negatively affect the regular operation of [the] device." He says that the risks in question were “very low” however, and should be applied as soon as possible. There is no given timeframe as to when NETGEAR’s official releases of the patches will be released.
This vulnerability has a bigger impact now that more people are working from home. When an entire network is compromised, it can mean company data and sensitive information has been compromised too.
The full list of affected NETGEAR devices can be found here.
Fake flash installer malware hits macOS users
Perhaps the biggest misconception about devices running MacOS is that they are “virus-proof.” This is increasingly not the case. Antivirus firm Intego has discovered a new, unique variant on the Shlayer malware that spreads through Google search results.
The Shlayer trojan was first discovered in February 2018 and now affects one in ten macOS users. It, and its many variants, cause the user to download unwanted or malicious adware such as Bundlore.
This new Shlayer malware variant presents itself as a fake Adobe Flash Player installer that bypasses Apple’s built-in security protections. The malware guides the user to right-click or “Control-click” on the package rather than left-click on it, allowing the user to bypass the option of moving the unsigned package to the trash.
Example of an unsigned package. Image: Apple
Example of an unsigned package opened by Control-clicking. Image: Apple
It’s unclear the number of users who have been affected by the malware to date, but the ease of how the malware spreads is frightening. Computers become infected when users click certain links that appear in Google search results, redirecting them through several pages before landing on a Flash Player downloader landing page. Intego’s team found that these links appeared when searching for the exact titles of YouTube videos.
Check out our prior smart home cybersecurity updates:
- June 2019: Linksys Smart WiFi router vulnerability and Android pre-installed backdoor
- July 2019: Website drive-by attacks on home routers
- August 2019: VxWorks and Google Nest Cam IQ Indoor vulnerabilities
- September 2019: SMS-based attacks and major router vulnerabilities
- October 2019: What is Gafgyt malware?
- November 2019: What is Light Commands?
- December 2019: Blink camera and Ruckus router vulnerabilities
- January 2020: Ring doorbell privacy concerns
- March 2020: Work From Home edition
- April 2020: Malware stats amid COVID-19
- May 2020: Brand impersonation spear phishing attacks and Nest security update
