Tag Archives: IIoT

IoT Bug Could Lay Waste to Factories ….

When people talk about IoT – Internet of Things – these days, they are thinking of Amazon Alexa or Phillips Vue lightbulbs, but where IoT started was in factories and warehouses, decades ago.

Industrial automation or IIoT is still where the biggest in IoT attacks lies.

Today we learned about a critical remote code execution bug in Schneider Electric’s programmable logic controllers or PLCs.

The bug would allow an attacker to get ROOT level access to these controllers and have full control over the devices.

These PLCs are used in manufacturing, building automation, healthcare and many other places.

If exploited, the hackers could shut down production lines, elevators, heating and air conditioning systems and other automation.

The good news, if there is any, is that the attacker would need to gain access to the network first. That could mean an insider attack, a physical infiltration or something simple like really bad remote access security like that water plant in Florida. That means that you probably should not count on this extra level of hardness to protect the millions of systems that use Modicon controllers.

Schneider Electric has released some “mitigations” but has not released a patch yet.

The bug is rated 9.8 out of 10 for badness.

What is really concerning is that Schneider released patches for dozens of bugs today.

Given that IIoT users almost never install patches, this “patch release” doesn’t make me feel much better.

But it appears that the velocity of IIoT bug disclosures and patches is dramatically increasing. Given that, factory and other IIoT owners have to choose between two uncomfortable choices – don’t patch and risk getting hacked or patch and deal with the downtime. They are not going to like either choice, but they are going to have to choose.

My guess is that they are going to choose not to patch and we are going to see a meltdown somewhere that is going to be somewhat uncomfortable for the owner. An example of past similar events is the Russians blowing up a Ukrainian oil pipeline a few years ago. In the middle of winter. When the temperature was below zero.

Credit: Threatpost

Security News for the Week Ending May 28, 2021

The UK Might Beat Us to Regulating MSPs

In the US, anyone can become a managed service provider. Unfortunately, customers may think that comes with security, but usually it does not. The UK is about to create a legally binding cybersecurity framework for managed service providers. This may be the first step at forcing businesses to formally assess the cyber risks of their supply chain. Needless to say, MSPs are not happy about the added cost and responsibility. This comes just as the US begins to force defense contractors to do the same thing. Credit: The Register

Section 230 Preempts FCRA

The law is kind of twisted. Section 230 of the Communications Decency Act shields Interactive Computer Services like Facebook from being sued for content they did not create. In this case, a person tried to sue a company that publishes aggregated data from credit bureaus (basically a version of a credit bureau) for not following the rules of the Fair Credit Reporting Act by correcting faulty data. The company’s defense was that they didn’t create the data, so you can’t sue them. Congress (or the Supremes) need to clean up this mess – and it is and has been a mess forever, but that ruling is just not right to the consumer. They have ZERO recourse, according to this court. Credit: Professor Eric Goldman

NSA Tells Defense Contractors – Don’t Connect IoT/IIoT to the Internet

NSA released a guide to protecting operational technology systems (what we call IoT or Industrial IoT), geared to the National Security System, the Defense Department and the Defense Industrial Base. It is, of course, applicable to anyone. They start with the obvious. An unconnected OT system is more secure than one connected to the Internet. It also provides guidance for protecting OT systems that are connected to the Internet. Whether you are required to follow this or not, if you have IoT systems, this is a good read. Credit: Nextgov

Expect Higher Prices (and Longer Wait Times) for Computers

As the worldwide chip shortage continues (and is expected to continue for at least the rest of this year), PC makers plan to pass on costs to buyers. This likely will continue as buyers have not reduced demand as a result of higher prices. Companies like Dell are reporting strong financial results. Inventory is, however, way down, so expect to take any system that is available or wait for a while. Vendors will likely move available parts to higher margin products, leaving lower end products “out of stock”. Credit: ZDNet

New Bluetooth Attack Affects 28 Chips Tested

A new Bluetooth impersonation attack, called BIAS, allows a malicious actor to establish a secure connection with the victim, without having to authenticate. This attack does NOT require user interaction. The researchers tested the attack against Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung and other chips. There is not a fix yet, but fixes are expected. Credit: The Hacker News

Security News for the Week Ending February 26, 2021

DoD Working on CMMC-Fedramp ‘Reciprocity’ by Year End

CMMC, the DoD’s new cybersecurity standard is designed to measure security practices of companies and the servers in the computer rooms and data centers. But what about the stuff in the cloud. That is covered by another government standard called FedRAMP. But those two standards have different rules and contractors who have both need to figure out how to comply with two competing standards. DoD is working on this and plans to have a solution by September. One challenge is that FedRAMP allows for a ‘To-Do’ list – stuff we will fix when we get to it and CMMC does not. Harmonizing these two standards is critical for defense contractors. Credit: Defense Systems

The Risk of NSA’s Offensive Security Strategy

The NSA has, for decades, favored offensive security (hacking others) over defensive security (protecting us). The Obama administration created a process called the vulnerabilities equities process to try and rationalize keeping bugs secret to use against others vs. telling vendors so that they could fix them. Check Point research published a report talking about one failure where the Chinese figured out the bug we were using, one way or another and used it against us. That is the danger of offensive security. Read the details here. Credit: The Register

HINT: When Your Vendor Tells You it is Time to Upgrade – Listen

Airplane maker Bombardier is the latest entry into the club of companies who were compromised with Accellion’s decades old FTA file transfer system. What was likely stolen was intellectual property. Accellion has been trying to get customers off this decades old platform for 5 years. Now they say they are going to formally end-of-life the old software in April. 300 customers did not listen. At least 100 were compromised. Credit: ZDNet

Microsoft Asks Congress to Force Companies to Disclose Breaches

Microsoft’s president Brad Smith testified at a Senate Intelligence Committee hearing this week about the SolarWinds breach. Smith said that the private sectors should be legally obligated to disclose any major hacks. None of the other CEOs who testified argued with Smith. The details of who, how, when, etc. are note easy to figure out as is the penalty for breaking the law. I suspect that the overwhelming majority of breaches are never reported to anyone because there is no incentive to do so. Credit: The Register

DHS-CISA Reveals Authentication Bypass of Rockwell Factory Controllers

Rockwell industrial automation controllers used in places like factory floors can be compromised by a remote hacker if they can install some malware on the network. The bug has a severity score of 10 out of 10. The compromise would allow hackers to upload firmware of their choosing and download data from the controller. The bug was initially disclosed to Rockwell in 2019. Credit: Security Week

The Strategy is “Wait to get Hacked and then Panic”

As millions upon millions of IoT and Industrial IoT devices get deployed every month, we seem to have forgotten what we learned the hard way about our computers: if we don’t patch them, the hackers will invade.

#1: A set of bugs called Urgent/11 affected a network module that has been around since the 90s and is in use by a couple hundred million IoT and IIoT devices. No important devices, just ones that control factories and hospitals. While the vendor released a patch for the bugs, this software is buried deep in systems where the hospitals and factories have no clue it even exists and the vendor that they bought the system from stopped patching it – if they ever did – years or decades ago. As a result, millions of devices – possibly as many as 97% of the affected devices – are still not patched and likely never will be. Credit: Threatpost

#2: Amnesia 33 is another set of bugs, again in networking software. This time the software is open source meaning there is no vendor to go to for patches. The researchers have already identified over 150 vendors who used the software at some time. Again this affects millions and millions of devices like cameras, badge readers and factory equipment. And again, most of these devices will never be patched. Credit: ZDNet

#3 is the Ripple20 family of bugs. This family of 19 bugs discovered earlier this year. It affects, again, a networking software module that is used in IoT and IIoT devices. Again, the vendor has released patches but most devices will never be patched. The number of impacted devices is estimated to be “in the hundreds of millions”. Credit: ZDNet

The number of devices affected by these bugs is not much of a surprise given the estimate of 75 billion connected devices by 2025.

Given that software licenses provide a “get out of jail free” card to software companies, there is no reason to expect this is going to change any time soon.

Unless, maybe, if we have an attack similar to this week’s Solar Winds announcement which may have compromised the information of as many as 18,000 businesses and government agencies (I can just hear the class action attorneys jumping for joy).

In this case, a lot of sensitive information will be analyzed in Moscow and used against us for decades. The good news is that these organizations will close the hole. Granted it is after the horse is out of the barn and the barn burned down, but it will get closed.

But what if North Korea decides to use these IoT bugs to say, blow up factories. After all, the Russians blew up an oil pipeline in the Ukraine a few years ago because they were made at the Ukraine government. This is not so far fetched.

Or maybe the Chinese will decide to say, turn off all of the ventilation in hundreds of hospitals. Or worse. Certainly possible.

That probably (hopefully? maybe?) keeps the folks that run these businesses up at night and may cause them to do something about it.

But when it comes to consumers, to be honest, all they care about is the price and does it do what I want it to do.

Until it damages their home or apartment or car. By the way, insurance likely does not cover this sort of damage – ask your agent. So if a nation state decides to launch an attack on the consumer base and it damages your car or home or apartment, you may be facing a large bill.

There is no simple answer, but making sure that your vendor is going to patch your device FOR AS LONG AS YOU PLAN TO OWN IT (note that a one year warranty is not terribly useful for an appliance that you plan to keep for say ten years).

Something to consider before falling in love with that bright, shiny new IoT thingee. I just bought a new washing machine. It comes with an app for my phone. So that I can start the washer remotely. Really? Do I need that? Nope, not going to connect it.

Feds Say GE Medical Devices Vulnerable to Hackers Changing Settings

Medical devices have never been subjected to much security testing – a fact that the FDA may argue with, but which is visibly accurate.

This time it is GE’s CIC Pro, a workstation that hospital staff uses to manage multiple GE patient devices on a ward.  They can use the device to monitor patients or change patient settings.

Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert for a series of 6 vulnerabilities together called MDHex.  These vulnerabilities would allow a hacker to compromise the CIC Pro and from there, the patient information.

CISA rates vulnerabilities on a 1 to 10 scale with 10 being the scariest.  FIVE OUT OF SIX of the vulnerabilities were rated 10.  The other was rated 8.5 – pretty serious.

The number of devices vulnerable was not disclosed by GE but is thought to be in the hundreds of thousands.

GE plans to release patches “in the coming months”.  In the mean time, hope your hospital isn’t hacked.

This is a rampant problem with Internet of Things (IoT) devices because they are cost sensitive and Industrial Internet of Things (IIoT) devices (like the patient monitor) because they were never designed to be on the Internet.  The workstation line was launched in 2007, well before anyone worried about the Internet of Things and apparently it runs on Windows XP, which has not been supported by Microsoft since 2014.

There are some things you can do if you have IoT or IIoT devices in your company:

  • Make sure you have a complete and current inventory of all of your IoT and IIoT devices
  • Understand what software runs in them, who is responsible for patching them, whether patches are even available.  This includes what libraries were used by the developers.  An old unsupported library is the source of one of the vulnerabilities above
  • Isolate all IoT and IIoT devices from your IT network
  • Consider whether any individual IoT or IIoT device is sensitive enough or its software is risky enough to separate it from everything else
  • Build a patching program for your IoT and IIoT devices – whether it is the responsibility of you or a vendor.  If it is a vendor, manage the vendor closely.
  • Watch for alerts for vulnerabilities published – by vendors, researchers, the government and others – for devices that are part of your network.
  • If you have a vendor supporting the devices (could be the manufacturer or someone else), review your contract to see what it says about who is responsible for security, privacy and even more importantly, who is liable in case of an attack or a breach.

At least this is a start.

 

Source: ZDNet Dark Reading

Security News Bites for the Week Ending February 22, 2019

Over 5 Billion Records Exposed in 2018

Risk Based Security is reporting that there were 6,515 publicly reported breaches in 2018 exposing over 5 billion records.  This is a couple hundred breaches less than 2017, but the final numbers are not in yet as breaches continue to be reported.

The number of days between discovery and disclosure is 49 days, well beyond what is required by GDPR. Source: Risk Based Security.

 

Industrial Refrigerators Can Be Defrosted Remotely – By Hackers

As we have been saying for a while, Industrial Internet of Things (IIoT) security is horrible.  Researchers are reporting that temperature controlled systems made by Resource Data Management use a default password which can be found on their web site.  If you can find the IP address, you can log in using any browser and wreak havoc on hospitals, restaurants and supermarkets.  The researchers found hundreds of these systems using the search engine Shodan.

The manufacturer’s defense is that they clearly tell people to change the default password.  Which of course, no one does.  Source: Tech Crunch.

 

Wendy’s Agrees to Pay $50 Million to Settle One More Breach Lawsuit

Wendy’s has agreed to settle a lawsuit with the financial institutions who lost millions as a result of the Point of Sale system breach at hundreds of Wendy’s franchises (interestingly, none of the stores breached were owned by Wendy’s).  Wendy’s will pay $27.5 million and their insurance company will pay the rest.  This is part of the process of putting the 2016 breach behind them.  Wendy’s is famous because their CFO once said on tape that they didn’t want to spend the money to upgrade their credit card terminals to chip based readers because it was cheaper to give away a few free hamburgers.  I wonder if he still feels that way.  Source: Bizjournals.

 

UK Tells Trump Huawei Cyber-Risk is Manageable

President Trump is working hard to get the rest of the world to support him in banning Huawei technology from the next generation of cellular networks due to the possibility of them being compromised by the Chinese government and putting back doors in their software to be able to hack our cell networks.

Apparently, the UK security chiefs disagree with our prez and said that the potential risk from Huawei is manageable.  This doesn’t mean that they think there is no risk and they do not make the final decisions, but given the relationship with our allies is complicated at best, the final result is unknown.

I suspect that will not make the President very happy.  Source: The Guardian.

 

Google to Fix Incognito Mode in Chrome That Leaks Info

Advertisers and web developers really don’t like it when browser makers stop them for doing whatever they want to do.

So they try to find ways around the stops.

In this case, advertisers figured out that even though they could not make cookies persist when the user was in incognito mode, they could figure out if the user was using incognito mode to stop being tracked.  If the user was doing that, some web sites would block them from using the web site.

Now, in Chrome 74, Google will create a virtual in memory file system that will behave just like the real file system so that web site developers won’t be able to detect the use of incognito mode.  At least not that way.  Now they will have to find another trick.  Source:  9to5Google.