Category Archives: IoT

Cyber Défense from narrow to broad  (5th Jan 2023)

Preface: Sustainability is a buzzword in the modern world in recent years. It applies to business, culture…even our education. A slogan, keep learning. Maybe it’s the Cantonese mantra, One is never too old to learn. Perhaps it also apply to cyber security protection.

Background: In last twenty years, computing technology driven growth of the world. The rapid growth of telecommunication especially TCP/IP communication protocol. The invention of this technology unintended interconnect different zone and culture. The TCP/IP network protocol  empower to Industrial world transformation. So we have industrial 4.0, smart city facilities and smart home. This is the theory of sustainability. But this key word just appear in last five years.

We all concerning privacy. So European countries and union driven GDPR. Whatever data run in internet including your personal data, web browser connection cookies are fall into their protection coverage. Before that, cyber security vendor especially antivirus and cyber security protection vendor have been done predictive technology. Their way is do a passive information gathering. When incident occur with unknown cyber-attack, they will do enhancement based on your former activities log.

Cyber defence from narrow to broad  : Set up monitoring and logging of systems that trip the DNS sinkhole so that they can be investigated and remediated if they are infected with malware. Until now, such services have been run by private business owners. So if you can afford to pay for the service, you can receive updates from the online world. To avoid risking your connection, such service will integrate to your defence solution can provide protection. Perhaps this is a narrow usage.

We all know that artificial intelligence improves our lives. But they rely on data. In fact, enterprise companies, especially Amazon, Google, Cisco… are already using AI technologies in their cyber defence solutions. So their umbrella technology covers a lot. Whether it is prevention, detection or correction, it is in place. However, they are all running businesses and thus have not disclosed their technology to the public.

But when will generalized artificial intelligence develop. For example, this month the cybersecurity defence vendor discovered malicious activity that can infect the operating system Linux. In fact, AI can target these activities and make predictions (see attached image).

Sustainability seems to be the definition of the big data world. The accumulation of data to the database is a long-term process. So keywords accumulate or sustainably contain similarities.

For more information about cyber-attacks against Linux environments, you can find the details at the link – https://asec.ahnlab.com/en/45182/

If your IoT development is based on Zigbee,perhaps Zephyr CVE will bring to your consideration. (6th Oct 2021)

Preface: Ensure that the JSON parser does not try to write a potentially unlimited number of elements into a C array of a fixed size.

Background: Zephyr is a small real-time operating system (RTOS) for connected, resource-constrained and embedded devices (with an emphasis on microcontrollers) supporting multiple architectures and released under the Apache License 2.0. Zephyr includes a kernel, and all components and libraries, device drivers, protocol stacks, file systems, and firmware updates, needed to develop full application software. Furthermore the footprint as small as 8K.

Vulnerability details: Till now, the CVSS score not been defined yet. According to 4 different vulnerabilities registered this month. There are two different vulnerabilities related to BLE. Besides, a vulnerability related to Zigbee. The remaining one is related to JSON decoder. The flaw of JSON decoder display as below: When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token type JSON_TOK_LIST_START, but then assigns to the object part of the union. “arr_parse” then takes the offset of the array-object (which has nothing todo with the list) treats it as relative to the parent object, and stores the length of the subarray in there. For the details of this vulnerability, please refer to link – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4

The following list shows other CVE details:

BLE:

CVE-2021-3436 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63

CVE-2021-3581 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5

Zigbee:

CVE-2021-3319 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364

32-bit design limitation (0x7ffffffff). Another episode of Y2K. (23-07-2021)

Preface: Because humans have destroyed the environment. Therefore, natural disasters resemble God’s punishment. In the digital world, the situation is the same. The reason for the penalty is the design weakness of the software.

Background: Perhaps the younger generation has not experienced “Y2K” technical problems because they are still children. The millennium bug is about 22 years until today. I think many people have forgotten. The digital world disaster is similar to the Old Testament description of the earth flood, and God instructed to build an ark to save the species.

Fundamental design weakness: On a 32-bit Linux system, the maximum value that time_t can represent is 0x7ffffffff. When time_t takes the maximum value, it means that the system time is 2038-01-19 03:14:07, but when the clock keep going, time_t will overflow and become A negative value. At this time, the system time will start over and the operating system and upper-layer software will run incorrectly.

IoT current status 2021: The trend by today – 8-bit and 16-bit MCUs had been the hardware of choice for IoT devices, but 32-bit MCUs are now becoming increasingly popular, leading to many manufacturers using two different powered processes in devices. Therefore, your RTOS should be scalable in order to manage any future MCU upgrades.

Reports indicate that there will be 35.82 billion IoT devices installed worldwide by 2021 and 75.44 billion by 2025.

Remedy: In order to remedy this technical limitation. Software developer require to use GNU C Library 2.32 and Musl libc 1.2 to build user space for 64-bit time_t.
Musl, a C standard library, is mainly used on operating systems based on the Linux kernel. The target is embedded systems and mobile devices. It is released under the MIT license. The author is Rich Felker. The purpose of developing this library is to write a clean, efficient, and standard-compliant C standard library.

Expectation: We pass a new challenge token to the younger generation, because they have grown up now. It’s your turn.

About WRECK DNS vulnerabilities – 15th Apr 2021

Background: DNS security awareness awaken by expert conduct a simple DNSsteal to do a demonstration show how to exploit unknown function feature on DNS function in few years ago.
On April 2021, cyber security product vendor with security experts announce that a unknown TCP/IP Stack weakness in IoT.
The difference in between DNS misuse function (DNSsteal) and techincal problem announced by vendor this month was that this time it is a design weakness of IoT TCP/IP stack.

Vulnerability details: So called WRECK, it affects at least four common TCP/IP stacks—FreeBSD, IPNet, NetX, and Nucleus NET—that are used in Internet of Things (IoT). The specify flaws could be abused to perform denial of service (DoS) attacks, to execute code remotely and or take victim devices offline. For details, please refer to link – https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/

My Comment: This IoT vulnerabilities crisis awaken IoT vendor to enhance their IoT access control function. Build trust connection function to external peer. So it will avoid the abnormalis traffic connect to your device and reduce the risk. Perhaps DNS protection should provides from service provider simultaneously.

Design limitation of iDS6 DSSPro Digital Signage System 6.2 – 6th Nov 2020

Preface: Digital signage’s content is powered by a media player or system-on-a-chip which pushes content to a display.
Users can then manage the content with a content management system.

Background: Design limitation of iDS6 DSSPro Digital Signage System 6.2 . The vulnerability cause by autoSave password function.
Since it is a pure unencrypted http traffic, it let internet Cookie disclosure user password. If I am using it.
How to reduce the risk?

Cause of details and remedy solution: The root causes of disclosure user password details shown on attachment.
If the remediation not yet release by vendor. Perhaps do a operation of this product web service should a conduct the following.

  1. Avoid to use WiFi do the management. It should use a workstation in a trusted network.
  2. Set firewall rule only allow managed IP address can be connect to the specific IP address. The point from C to B (refer to diagram). And do not use wireless connection.
  3. From point B to point A it should be a cable network instead of WiFi connection.

Additional: Set the cookie age to 4 minutes, and reset the cookie age every time your server sends a response,
then the cookie will time out after 4 minutes of inactivity.

Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3

US Homeland security urge public alert on “Ripple20” Vulnerabilities (16th June 2020)

Preface: Baxter US, Caterpillar, Digi International, Hewlett Packard Enterprise, Intel, Rockwell Automation, Schneider Electric and Trek are impact by this vulnerability.
There are more vendor which do not know the actual status.

Vulnerability details:
An attacker from outside the network taking control over a device within the network, if internet facing. There are more ways to exploit this vulnerability, please refer below link for reference.

Root causes: The attacker exploit of the IP protocol flexibility. That is the incoming IPv4 fragments over an IP-in-IP tunnel. As we know, IPv4 found early than Internet services. At that period of time the most serious incident is merely virus infection to local machine. Machine to Machine communication will be make use of serial cable or Novell network. In short, it is a simple architecture. But the attacker can be exploit the design weakness engaging the cyber attack to digital world.

Remedy: You can follow cert.org recommendation install IDS (refer below url link) or refer to attached diagram. A quick and dirty solution.
https://kb.cert.org/vuls/id/257161

Discarded Tesla car parts contain information. Maybe you can buy it on eBay. Who can believe in the technological world? Even if no such incident occurs, the supplier can read your local data without your consent (8th May 2020)

Preface: The traditional method of disposing of hard drives is degaussing or incineration.

Headline News: The manufacturer has a hardware disposal policy. The incidents encountered by Tesla may be due to improper handling of third parties. For more information about headline news, please refer to this link. https://www.hackread.com/user-data-found-in-tesla-car-parts-ebay/

Supplement: Should you have doubt about your data personal privacy matter in IoT device? You might have interested to read the following.

Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access. Please refer to this link to read the details – http://www.antihackingonline.com/application-development/who-can-you-trust-in-the-internet-world-security-issues-with-load-data-local-in-mysql-db/

Official announcement – Security Considerations for LOAD DATA LOCAL. Please refer to this URL: https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html

Storm of Go language based malware – 6th May 2020

Preface: New Kaiji malware targets IoT devices via SSH brute-force.

Background: Gobot is a framework for robotics, drones, and the Internet of Things (IoT), written in the Go programming language.

Observation: Programmers usually choose Golang for building the communication layer within the IoT system. One of the biggest draws to Go is the fact that a single codebase may be compiled for all of the major operating system platforms.

What is codbase: A codebase is a source code repository or a set of repositories that share a common root. The single codebase for an application is used to produce any number of immutable releases that are destined for different environments.

Facts: So it benefits to attacker when he written a malware.

Prediction in regards to current situation: See attached diagram. My prediction is that hacker will be exploit the design weakness in Go language (Go programs primarily use the YMM registers to implement copying one memory buffer to another). So, the case is under observation.

The things you can do right now: Implement effective passwords on all IoT devices when possible.

Headline News:https://www.zdnet.com/article/new-kaiji-malware-targets-iot-devices-via-ssh-brute-force-attacks/

CVE-2019-12941 – AutoPi ( Wi-Fi/NB and 4G/LTE) devices wifi password vulnerability (Oct 2019)

Preface: Are you afraid of someone suddenly controlling your car?

Background: AutoPi is a small device that plugs into the OBD-II port of your car.

What is OBD-II port? OBD-II port of the car which gives the dongle access to the cars internal systems. AutoPi also provides a cloud service that lets you communicate with the dongle remotely over the Internet.

Vulnerability details: When user connected to the WiFi, it is also possible to SSH into the device. Both the web portal terminal and the SSH terminal grants root access, meaning that full access of the devices is given when connected through WiFi.

Since the wifi password mechanism design weakness. Attacker can use following method to receive the WPA2 authentication password. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID. So it only take few hours can be cracked. For more details, please refer to attached infographic for reference.

Should you have interested, please download the technical white paper to review. https://www.kth.se/polopoly_fs/1.931922.1571071632!/Burdzovic_Matsson_dongle_v2.pdf

New generation of weapon iot+lora+Drone (2019)

Preface: Traditionally, only big country can have military weapon. Computer technology especially IoT devices not only replace human power. As we seen, IoT 4.0 is going to replace routine man power resources. Perhaps IoT technology also infiltrate in military arsenal .

Details: On Sep, 2019. Drone attacks have set alight two major oil facilities run by the state-owned company Aramco in Saudi Arabia. Refer to diagram, Drone integrate with Lora can increasing the control effective distance. If trouble maker is going to attack improtant facilties, they have more choices today. In last decade, APT cyber attack is the major channel to detroy the critical facilities. But APT attack rare to destroy the infrastructure. If enemy insists to destory the infrastructure. The setup of IoT, Lora and Drone can do it.

Can Drones be Detected by Radar? All newer radars are equipped and have the ability to locate even the smallest drones in the air. May be in future, all the critical facilities especially oil facilitiy, Power grid require to install Radar system.

Prediction: We heard APT cyber attack against critical facilities (especially power grid and oil facilities) by far. It looks that a hybrid attack (IoT+Lora+Drone) will be use in future.