Sam Stelfox

Smart home cybersecurity news roundup [June 2020]

June’s smart home cybersecurity news roundup includes 19 zero-day vulnerabilities in IoT devices, vulnerabilities found in a popular networking brand’s devices, and malware affecting macOS users.

Smart Home Cybersecurity

Ripple20 brings 19 new zero-day vulns for IoT devices

19 new zero-day vulnerabilities have been detected in relation to the Treck TCP/IP stack, a TCP/IP protocol suite designed for embedded systems, putting hundreds of millions of systems at risk. These vulnerabilities are CVE-2020-11896 RCE and CVE-2020-11898 Info Leak.

The vulnerabilities were first discovered by Israeli-based cybersecurity firm JSOF, who specializes in IoT security as well as automotive, media, embedded devices, and mobile devices fields, as well as general-purpose computing.

The vulnerable device libraries can be found in ground transportation, government and national security sectors, oil and gas, aviation, power grids, and medical, home, industrial, networking, enterprise, retail, and other IoT devices.

The vulnerabilities can be exploited for remote code execution, denial of service attacks, stealing data, and more. Each vulnerability ranges between critical and high severity.

“The risks inherent in this situation are high. Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks.” [JSOF]



“As concerning as these 19 vulnerabilities are, this report highlights an often overlooked security concern: vendors reusing and repurposing common software libraries,” says Scott Caveza, research engineering manager at cybersecurity firm Tenable Inc.

“This practice creates challenges when it comes to identifying and patching logic and security issues in code, as it becomes a vendor-specific issue. A fix for one vulnerability might have multiple solutions from various vendors, and it’s possible specific patch attempts could open up additional attack vectors if not properly implemented.”

Device manufacturers can address these issues by following long-standing best practices such as enabling exploit mitigations in their build processes, performing security-oriented code reviews, and hiring a specialized firm to perform a device security analysis. This is not new advice but the latter two at least would add costs to the development of devices.

Without device manufacturers choosing to start caring about device security, operators need to treat most embedded devices as a potential security risk and design their network defenses accordingly: limit access to the bare minimum number of ports required for the system's operation and only from trusted sources, and get some visibility into the device’s behavior. A hacked device's network usage profile will change—find a way to get eyes on it.

Zero-day vulnerability found in 79 NETGEAR devices

A new firmware vulnerability revealed by cybersecurity company GRIMM could allow 79 NETGEAR routers and modems dating back as far as 2007 to become compromised.

The vulnerability directly affects how NETGEAR devices handle incoming data and could allow cybercriminals to bypass the router’s authentication process. This would allow the hacker a complete takeover of the network and any devices connected to it.

It’s been reported that 758 different firmware versions contain the vulnerability and that NETGEAR has been exposed because of a “lack of testing” according to Adam Nichols, the head of the Software Application Security team at GRIMM. He says NETGEAR isn't validating the user input for its administration panel properly and isn’t protecting against buffer overflow attacks by using “stack cookies” and compiling its web server code using Position-independent Executable (PIE).

As of June 22, Nathan Papadopulos, Global Communications and Strategic Partner Marketing at NETGEAR, spoke with Matthew Humphries from PC Magazine about the steps NETGEAR is taking to mitigate the issue. He says that the first firmware patches are starting to roll out, most notably for the R6400 and R6700-model routers.

Netgear 6400

Screenshot from on July 2, 2020

The patch releases are, for now, beta fixes, and "could negatively affect the regular operation of [the] device." He says that the risks in question were “very low” however, and should be applied as soon as possible. There is no given timeframe as to when NETGEAR’s official releases of the patches will be released.

This vulnerability has a bigger impact now that more people are working from home. When an entire network is compromised, it can mean company data and sensitive information has been compromised too.

The full list of affected NETGEAR devices can be found here.

Fake flash installer malware hits macOS users

Perhaps the biggest misconception about devices running MacOS is that they are “virus-proof.” This is increasingly not the case. Antivirus firm Intego has discovered a new, unique variant on the Shlayer malware that spreads through Google search results.

The Shlayer trojan was first discovered in February 2018 and now affects one in ten macOS users. It, and its many variants, cause the user to download unwanted or malicious adware such as Bundlore.

This new Shlayer malware variant presents itself as a fake Adobe Flash Player installer that bypasses Apple’s built-in security protections. The malware guides the user to right-click or “Control-click” on the package rather than left-click on it, allowing the user to bypass the option of moving the unsigned package to the trash.

Example of an unsigned package

Example of an unsigned package. Image: Apple

Example of an unsigned package opened by Control-clicking

Example of an unsigned package opened by Control-clicking. Image: Apple

It’s unclear the number of users who have been affected by the malware to date, but the ease of how the malware spreads is frightening. Computers become infected when users click certain links that appear in Google search results, redirecting them through several pages before landing on a Flash Player downloader landing page. Intego’s team found that these links appeared when searching for the exact titles of YouTube videos.

Check out our prior smart home cybersecurity updates:

Like this blog?

Subscribe to our newsletter.