Category Archives: IoT

About CVE-2023-3220 An issue was discovered in the Linux kernel through 6.1-rc8 (20th June 2023)

June 21, 2023 admin Leave a comment

Preface: AI Engines are built from the ground up to be software programmable and hardware adaptable. There are two distinct design flows for any developer to unleash the performance of these compute engines with the ability to compile in minutes and rapidly explore different microarchitectures.
As of today, current technology are capable On-device intelligence powered by the AI Engine. Our dreams come true, the 3rd generation AI Engine enables on-device intelligence and simplifies how pictures and videos are taken.

Background: The Qualcomm Robotics RB3 development kit includes the purpose-built robotics-focused DragonBoard™ 845c development board, based on the Qualcomm® SDA845 processor and compliant with the 96Boards open hardware specification to support a broad range of mezzanine-board expansions.
The development board supports Linux and Robotics Operating System (ROS), while also including support for the Qualcomm® Neural Processing software development kit (SDK) for advanced on-device AI, the Qualcomm ® Computer Vision Suite, the Qualcomm ® Hexagon DSP SDK, and AWS RoboMaker.

Vulnerability details: An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc[.]c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.

Ref: The kzalloc() function is the same as kmalloc().
Difference: Cleared to zero after memory allocation is successful. After each use of kzalloc(), there must be a corresponding memory release function kfree().

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-3220

IoT, Potential Risk of CVE

CVE-2023-34868 – JerryScript Design weakness (15th June 2023)

June 15, 2023 admin Leave a comment

Preface: Samsung said that Open Source is not only the development method also a culture and various things. Samsung always keep in mind to give back to Open Source through their activities. They are partake in the culture of sharing and collaboration with the list of projects they have released and contributed to.

Background: The IoT.js platform uses JerryScript to run JavaScript code and libuv for asynchronous I/O, and enables developers to create IoT services that communicate with each other and the outside world.
JerryScript is a very lightweight JavaScript engine with capability to run on microcontrollers with less than 8KB of RAM.

Vulnerability details:
CVE-2023-34868 – Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the parser_parse_for_statement_start at jerry-core[/]parser[/]js[/]js-parser-statm[.]c.
My Predcit Consequence: The possibility of triggering an assertion failure, which could cause the BIND process to terminate.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-34868

In addition there is another one.
CVE-2023-34867 – Jerryscript 3.0 (commit 05dbbd1) was discovered to contain an Assertion Failure via the ecma_property_hashmap_create at jerry-core[/]ecma[/]base[/]ecma-property-hashmap[.]c.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-34867

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

About Qualcomm: The vulnerability of CVE-2022-40507 release to public on 06/06/2023 finally.

June 7, 2023 admin Leave a comment

Preface: Double free errors occur when free() is called more than once with the same memory address as an argument. Calling free() twice on the same value can lead to memory leak. When a program calls free() twice with the same argument, the program’s memory management data structures become corrupted and could allow a malicious user to write values in arbitrary memory spaces.

Background: SnapDragon has different processors runn on top of SOC (see below):
Krait CPU — General purpose processor that usually runs android applications.
Adreno GPU — This is largely used for graphics processing like rendering.
Hexagon DSP — Hexagon specially designed for multi-media acceleration, this helps CPU to offload the task to DSP and save energy and thereby offering optimum performance.

Vulnerability details: Memory corruption due to double free in Core while mapping HLOS address to the list.

The vulnerability release to public on 06/06/2023. The announcement can be read at qualcomm.com – https://www.qualcomm.com/company/product-security/bulletins/june-2023-bulletin
This vulnerability has been identified as CVE-2022-40507 since 09/12/2022. The vendor did not release technical details.

How to observe memory allocation in Linux kernel?
Generate the skeleton for the task named 1-mem and browse the contents of the mem[.]c file. Observe the use of kmalloc() call for memory allocation.

Compile the source code and load the mem[.]ko module using insmod.
View the kernel messages using the dmesg command.
Unload the kernel module using the rmmod mem command.

IoT, Public safety, Ransomware, Under our observation

Cyber Défense from narrow to broad (5^th Jan 2023)

January 5, 2023 admin Leave a comment

Preface: Sustainability is a buzzword in the modern world in recent years. It applies to business, culture…even our education. A slogan, keep learning. Maybe it’s the Cantonese mantra, One is never too old to learn. Perhaps it also apply to cyber security protection.

Background: In last twenty years, computing technology driven growth of the world. The rapid growth of telecommunication especially TCP/IP communication protocol. The invention of this technology unintended interconnect different zone and culture. The TCP/IP network protocol empower to Industrial world transformation. So we have industrial 4.0, smart city facilities and smart home. This is the theory of sustainability. But this key word just appear in last five years.

We all concerning privacy. So European countries and union driven GDPR. Whatever data run in internet including your personal data, web browser connection cookies are fall into their protection coverage. Before that, cyber security vendor especially antivirus and cyber security protection vendor have been done predictive technology. Their way is do a passive information gathering. When incident occur with unknown cyber-attack, they will do enhancement based on your former activities log.

Cyber defence from narrow to broad : Set up monitoring and logging of systems that trip the DNS sinkhole so that they can be investigated and remediated if they are infected with malware. Until now, such services have been run by private business owners. So if you can afford to pay for the service, you can receive updates from the online world. To avoid risking your connection, such service will integrate to your defence solution can provide protection. Perhaps this is a narrow usage.

We all know that artificial intelligence improves our lives. But they rely on data. In fact, enterprise companies, especially Amazon, Google, Cisco… are already using AI technologies in their cyber defence solutions. So their umbrella technology covers a lot. Whether it is prevention, detection or correction, it is in place. However, they are all running businesses and thus have not disclosed their technology to the public.

But when will generalized artificial intelligence develop. For example, this month the cybersecurity defence vendor discovered malicious activity that can infect the operating system Linux. In fact, AI can target these activities and make predictions (see attached image).

Sustainability seems to be the definition of the big data world. The accumulation of data to the database is a long-term process. So keywords accumulate or sustainably contain similarities.

For more information about cyber-attacks against Linux environments, you can find the details at the link – https://asec.ahnlab.com/en/45182/

IoT, Potential Risk of CVE

If your IoT development is based on Zigbee,perhaps Zephyr CVE will bring to your consideration. (6th Oct 2021)

October 7, 2021 admin Leave a comment

Preface: Ensure that the JSON parser does not try to write a potentially unlimited number of elements into a C array of a fixed size.

Background: Zephyr is a small real-time operating system (RTOS) for connected, resource-constrained and embedded devices (with an emphasis on microcontrollers) supporting multiple architectures and released under the Apache License 2.0. Zephyr includes a kernel, and all components and libraries, device drivers, protocol stacks, file systems, and firmware updates, needed to develop full application software. Furthermore the footprint as small as 8K.

Vulnerability details: Till now, the CVSS score not been defined yet. According to 4 different vulnerabilities registered this month. There are two different vulnerabilities related to BLE. Besides, a vulnerability related to Zigbee. The remaining one is related to JSON decoder. The flaw of JSON decoder display as below: When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token type JSON_TOK_LIST_START, but then assigns to the object part of the union. “arr_parse” then takes the offset of the array-object (which has nothing todo with the list) treats it as relative to the parent object, and stores the length of the subarray in there. For the details of this vulnerability, please refer to link – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4

The following list shows other CVE details:

BLE:

CVE-2021-3436 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63

CVE-2021-3581 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5

Zigbee:

CVE-2021-3319 – https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364

Application Development, IoT, Public safety

32-bit design limitation (0x7ffffffff). Another episode of Y2K. (23-07-2021)

July 23, 2021 admin Leave a comment

Preface: Because humans have destroyed the environment. Therefore, natural disasters resemble God’s punishment. In the digital world, the situation is the same. The reason for the penalty is the design weakness of the software.

Background: Perhaps the younger generation has not experienced “Y2K” technical problems because they are still children. The millennium bug is about 22 years until today. I think many people have forgotten. The digital world disaster is similar to the Old Testament description of the earth flood, and God instructed to build an ark to save the species.

Fundamental design weakness: On a 32-bit Linux system, the maximum value that time_t can represent is 0x7ffffffff. When time_t takes the maximum value, it means that the system time is 2038-01-19 03:14:07, but when the clock keep going, time_t will overflow and become A negative value. At this time, the system time will start over and the operating system and upper-layer software will run incorrectly.

IoT current status 2021: The trend by today – 8-bit and 16-bit MCUs had been the hardware of choice for IoT devices, but 32-bit MCUs are now becoming increasingly popular, leading to many manufacturers using two different powered processes in devices. Therefore, your RTOS should be scalable in order to manage any future MCU upgrades.

Reports indicate that there will be 35.82 billion IoT devices installed worldwide by 2021 and 75.44 billion by 2025.

Remedy: In order to remedy this technical limitation. Software developer require to use GNU C Library 2.32 and Musl libc 1.2 to build user space for 64-bit time_t.
Musl, a C standard library, is mainly used on operating systems based on the Linux kernel. The target is embedded systems and mobile devices. It is released under the MIT license. The author is Rich Felker. The purpose of developing this library is to write a clean, efficient, and standard-compliant C standard library.

Expectation: We pass a new challenge token to the younger generation, because they have grown up now. It’s your turn.

IoT, Potential Risk of CVE

About WRECK DNS vulnerabilities – 15th Apr 2021

April 17, 2021 admin Leave a comment

Background: DNS security awareness awaken by expert conduct a simple DNSsteal to do a demonstration show how to exploit unknown function feature on DNS function in few years ago.
On April 2021, cyber security product vendor with security experts announce that a unknown TCP/IP Stack weakness in IoT.
The difference in between DNS misuse function (DNSsteal) and techincal problem announced by vendor this month was that this time it is a design weakness of IoT TCP/IP stack.

Vulnerability details: So called WRECK, it affects at least four common TCP/IP stacks—FreeBSD, IPNet, NetX, and Nucleus NET—that are used in Internet of Things (IoT). The specify flaws could be abused to perform denial of service (DoS) attacks, to execute code remotely and or take victim devices offline. For details, please refer to link – https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/

My Comment: This IoT vulnerabilities crisis awaken IoT vendor to enhance their IoT access control function. Build trust connection function to external peer. So it will avoid the abnormalis traffic connect to your device and reduce the risk. Perhaps DNS protection should provides from service provider simultaneously.

IoT, Under our observation

Design limitation of iDS6 DSSPro Digital Signage System 6.2 – 6th Nov 2020

November 6, 2020 admin Leave a comment

Preface: Digital signage’s content is powered by a media player or system-on-a-chip which pushes content to a display.
Users can then manage the content with a content management system.

Background: Design limitation of iDS6 DSSPro Digital Signage System 6.2 . The vulnerability cause by autoSave password function.
Since it is a pure unencrypted http traffic, it let internet Cookie disclosure user password. If I am using it.
How to reduce the risk?

Cause of details and remedy solution: The root causes of disclosure user password details shown on attachment.
If the remediation not yet release by vendor. Perhaps do a operation of this product web service should a conduct the following.

Avoid to use WiFi do the management. It should use a workstation in a trusted network.
Set firewall rule only allow managed IP address can be connect to the specific IP address. The point from C to B (refer to diagram). And do not use wireless connection.
From point B to point A it should be a cable network instead of WiFi connection.

Additional: Set the cookie age to 4 minutes, and reset the cookie age every time your server sends a response,
then the cookie will time out after 4 minutes of inactivity.

Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3

IoT, Potential Risk of CVE, Public safety

US Homeland security urge public alert on “Ripple20” Vulnerabilities (16th June 2020)

June 18, 2020 admin Leave a comment

Preface: Baxter US, Caterpillar, Digi International, Hewlett Packard Enterprise, Intel, Rockwell Automation, Schneider Electric and Trek are impact by this vulnerability.
There are more vendor which do not know the actual status.

Vulnerability details:
An attacker from outside the network taking control over a device within the network, if internet facing. There are more ways to exploit this vulnerability, please refer below link for reference.

Root causes: The attacker exploit of the IP protocol flexibility. That is the incoming IPv4 fragments over an IP-in-IP tunnel. As we know, IPv4 found early than Internet services. At that period of time the most serious incident is merely virus infection to local machine. Machine to Machine communication will be make use of serial cable or Novell network. In short, it is a simple architecture. But the attacker can be exploit the design weakness engaging the cyber attack to digital world.

Remedy: You can follow cert.org recommendation install IDS (refer below url link) or refer to attached diagram. A quick and dirty solution.
https://kb.cert.org/vuls/id/257161

Data privacy, IoT, Public safety, Under our observation

Discarded Tesla car parts contain information. Maybe you can buy it on eBay. Who can believe in the technological world? Even if no such incident occurs, the supplier can read your local data without your consent (8th May 2020)

May 8, 2020 admin Leave a comment

Preface: The traditional method of disposing of hard drives is degaussing or incineration.

Headline News: The manufacturer has a hardware disposal policy. The incidents encountered by Tesla may be due to improper handling of third parties. For more information about headline news, please refer to this link. https://www.hackread.com/user-data-found-in-tesla-car-parts-ebay/

Supplement: Should you have doubt about your data personal privacy matter in IoT device? You might have interested to read the following.

Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access. Please refer to this link to read the details – http://www.antihackingonline.com/application-development/who-can-you-trust-in-the-internet-world-security-issues-with-load-data-local-in-mysql-db/

Official announcement – Security Considerations for LOAD DATA LOCAL. Please refer to this URL: https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html