Preface: Ensure that the JSON parser does not try to write a potentially unlimited number of elements into a C array of a fixed size.
Background: Zephyr is a small real-time operating system (RTOS) for connected, resource-constrained and embedded devices (with an emphasis on microcontrollers) supporting multiple architectures and released under the Apache License 2.0. Zephyr includes a kernel, and all components and libraries, device drivers, protocol stacks, file systems, and firmware updates, needed to develop full application software. Furthermore the footprint as small as 8K.
Vulnerability details: Till now, the CVSS score not been defined yet. According to 4 different vulnerabilities registered this month. There are two different vulnerabilities related to BLE. Besides, a vulnerability related to Zigbee. The remaining one is related to JSON decoder. The flaw of JSON decoder display as below: When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token type JSON_TOK_LIST_START, but then assigns to the object part of the union. “arr_parse” then takes the offset of the array-object (which has nothing todo with the list) treats it as relative to the parent object, and stores the length of the subarray in there. For the details of this vulnerability, please refer to link –https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4
Preface: Because humans have destroyed the environment. Therefore, natural disasters resemble God’s punishment. In the digital world, the situation is the same. The reason for the penalty is the design weakness of the software.
Background: Perhaps the younger generation has not experienced “Y2K” technical problems because they are still children. The millennium bug is about 22 years until today. I think many people have forgotten. The digital world disaster is similar to the Old Testament description of the earth flood, and God instructed to build an ark to save the species.
Fundamental design weakness: On a 32-bit Linux system, the maximum value that time_t can represent is 0x7ffffffff. When time_t takes the maximum value, it means that the system time is 2038-01-19 03:14:07, but when the clock keep going, time_t will overflow and become A negative value. At this time, the system time will start over and the operating system and upper-layer software will run incorrectly.
IoT current status 2021: The trend by today – 8-bit and 16-bit MCUs had been the hardware of choice for IoT devices, but 32-bit MCUs are now becoming increasingly popular, leading to many manufacturers using two different powered processes in devices. Therefore, your RTOS should be scalable in order to manage any future MCU upgrades.
Reports indicate that there will be 35.82 billion IoT devices installed worldwide by 2021 and 75.44 billion by 2025.
Remedy: In order to remedy this technical limitation. Software developer require to use GNU C Library 2.32 and Musl libc 1.2 to build user space for 64-bit time_t. Musl, a C standard library, is mainly used on operating systems based on the Linux kernel. The target is embedded systems and mobile devices. It is released under the MIT license. The author is Rich Felker. The purpose of developing this library is to write a clean, efficient, and standard-compliant C standard library.
Expectation: We pass a new challenge token to the younger generation, because they have grown up now. It’s your turn.
Background: DNS security awareness awaken by expert conduct a simple DNSsteal to do a demonstration show how to exploit unknown function feature on DNS function in few years ago. On April 2021, cyber security product vendor with security experts announce that a unknown TCP/IP Stack weakness in IoT. The difference in between DNS misuse function (DNSsteal) and techincal problem announced by vendor this month was that this time it is a design weakness of IoT TCP/IP stack.
My Comment: This IoT vulnerabilities crisis awaken IoT vendor to enhance their IoT access control function. Build trust connection function to external peer. So it will avoid the abnormalis traffic connect to your device and reduce the risk. Perhaps DNS protection should provides from service provider simultaneously.
Preface: Digital signage’s content is powered by a media player or system-on-a-chip which pushes content to a display. Users can then manage the content with a content management system.
Background: Design limitation of iDS6 DSSPro Digital Signage System 6.2 . The vulnerability cause by autoSave password function. Since it is a pure unencrypted http traffic, it let internet Cookie disclosure user password. If I am using it. How to reduce the risk?
Cause of details and remedy solution: The root causes of disclosure user password details shown on attachment. If the remediation not yet release by vendor. Perhaps do a operation of this product web service should a conduct the following.
Avoid to use WiFi do the management. It should use a workstation in a trusted network.
Set firewall rule only allow managed IP address can be connect to the specific IP address. The point from C to B (refer to diagram). And do not use wireless connection.
From point B to point A it should be a cable network instead of WiFi connection.
Additional: Set the cookie age to 4 minutes, and reset the cookie age every time your server sends a response, then the cookie will time out after 4 minutes of inactivity.
Preface: Baxter US, Caterpillar, Digi International, Hewlett Packard Enterprise, Intel, Rockwell Automation, Schneider Electric and Trek are impact by this vulnerability. There are more vendor which do not know the actual status.
Vulnerability details: An attacker from outside the network taking control over a device within the network, if internet facing. There are more ways to exploit this vulnerability, please refer below link for reference.
Root causes: The attacker exploit of the IP protocol flexibility. That is the incoming IPv4 fragments over an IP-in-IP tunnel. As we know, IPv4 found early than Internet services. At that period of time the most serious incident is merely virus infection to local machine. Machine to Machine communication will be make use of serial cable or Novell network. In short, it is a simple architecture. But the attacker can be exploit the design weakness engaging the cyber attack to digital world.
Preface: New Kaiji malware targets IoT devices via SSH brute-force.
Background: Gobot is a framework for robotics, drones, and the Internet of Things (IoT), written in the Go programming language.
Observation: Programmers usually choose Golang for building the communication layer within the IoT system. One of the biggest draws to Go is the fact that a single codebase may be compiled for all of the major operating system platforms.
What is codbase: A codebase is a source code repository or a set of repositories that share a common root. The single codebase for an application is used to produce any number of immutable releases that are destined for different environments.
Facts: So it benefits to attacker when he written a malware.
Prediction in regards to current situation: See attached diagram. My prediction is that hacker will be exploit the design weakness in Go language (Go programs primarily use the YMM registers to implement copying one memory buffer to another). So, the case is under observation.
The things you can do right now: Implement effective passwords on all IoT devices when possible.
Preface: Are you afraid of someone suddenly controlling your car?
Background: AutoPi is a small device that plugs into the OBD-II port of your car.
What is OBD-II port? OBD-II port of the car which gives the dongle access to the cars internal systems. AutoPi also provides a cloud service that lets you communicate with the dongle remotely over the Internet.
Vulnerability details: When user connected to the WiFi, it is also possible to SSH into the device. Both the web portal terminal and the SSH terminal grants root access, meaning that full access of the devices is given when connected through WiFi.
Since the wifi password mechanism design weakness. Attacker can use following method to receive the WPA2 authentication password. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID. So it only take few hours can be cracked. For more details, please refer to attached infographic for reference.
Preface: Traditionally, only big country can have military weapon. Computer technology especially IoT devices not only replace human power. As we seen, IoT 4.0 is going to replace routine man power resources. Perhaps IoT technology also infiltrate in military arsenal .
Details: On Sep, 2019. Drone attacks have set alight two major oil facilities run by the state-owned company Aramco in Saudi Arabia. Refer to diagram, Drone integrate with Lora can increasing the control effective distance. If trouble maker is going to attack improtant facilties, they have more choices today. In last decade, APT cyber attack is the major channel to detroy the critical facilities. But APT attack rare to destroy the infrastructure. If enemy insists to destory the infrastructure. The setup of IoT, Lora and Drone can do it.
Can Drones be Detected by Radar? All newer radars are equipped and have the ability to locate even the smallest drones in the air. May be in future, all the critical facilities especially oil facilitiy, Power grid require to install Radar system.
Prediction: We heard APT cyber attack against critical facilities (especially power grid and oil facilities) by far. It looks that a hybrid attack (IoT+Lora+Drone) will be use in future.
Background: Apache Spark is the tailor made for big data industry.Spark’s advanced acyclic processing engine can operating as a stand-alone mode or a cloud service.
Synopsis: Spark supports encrypting temporary data written to local disks. This covers shuffle files, shuffle spills and data blocks stored on disk (for both caching and broadcast variables). It does not cover encrypting output data generated by applications with APIs such as saveAsHadoopFile or saveAsTable. It also may not cover temporary files created explicitly by the user.
Vulnerability details: The vulnerability is due to a cryptographic issue in the affected software that allows user data to be written to the local disk unencrypted in certain situations, even if the spark.io.encryption.enabled property is set to true.
Security focus: This vulnerability did not category as critical. But the level of risk will be depends on the system architecture and classification level of data. For instance, it is a machine learning function and install on top of public cloud computer farm. If this is the case, a serious access restriction control to Spark infrastructure area must be apply.