Category Archives: IoT

Security Focus – CVE-2018-13888

Preface: This design flaw has attracted me. Perhaps the supplier has no formal remediation solution yet. But the impact of this vulnerability seems to be broad!

Vulnerability detail: There is potential for memory corruption in the RIL daemon due to the following reason.
The location of dereference of memory is outside the allocated array length in RIL.

Meaning of “dereference” (common criteria):
The dereference operator or indirection operator, sometimes denoted by “*” (i.e. an asterisk), is a unary operator (i.e. one with a single operand) found in C-like languages that include pointer variables.

Affected products: Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in versions MDM9206, MDM9607, MDM9635M, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 636, SD 650/52, SD 675, SD 712 / SD 710 / SD 670, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDM439, SDM630, SDM660, ZZ_QCS605.

Official announcement – Not found in the bulletins yet :

Marvell Avastar wireless SoCs have multiple vulnerabilities – 5th Feb 2019

Preface: The Marvell 88W8897A SoC (System on a Chip) is the industry’s first 802.11ac chip to combine Bluetooth 4.2, mobile MIMO (Multi-input Multi-output), transmit beamforming, and with built-in support for all screen projection technologies.

Technology Background:
Computer design primary focus on memory usage. Even though without an exception in SoC (System on a Chip) design.

Vulnerability found: During Wi-Fi network scans, an overflow condition can be triggered, overwriting certain block pool data structures.

Exploitation of vulnerability: Attacker can exploit ThreadX block pool overflow vulnerability to intercept network traffic or achieve code execution on the host system.

Remedy: Marvell encourages customer to contact their Marvell representative for additional support.

Remark: This vulnerability was post on headline news on mid of January 2019. However we could not found any positive responses announce by vendor.

The vulnerability of the Internet of Things 4.0 has attracted the interest of the APT Group in the enemy country.

Preface: Maybe this is a trend! If we are going to the next generation world (IoT 4.0). At the same time, the APT Group is also sniffing the cybersecurity loopholes in that place!

Technical background: In business world we understand the function of broker. A similar situation in computer world, we so called gateway vs middle-ware are equivalence to broker. The modern computer world involves multi vendor and multi-environment and therefore we can’t lack of broker. As a result this area become critical.

Security focus – Schneider Electric IIoT Monitor 3.1.38 vulnerabilities (see below).
Remark: The key component of IIoT monitor 3.1.38 is equivalent Magelis iPC ( IIoT monitor 3.1.38 for Magelis iPC on Windows 10 ).

Comment: Perhaps these vulnerabilities announce to public on Dec 2018. But I believe that more hidden vulnerabilities will be dig out in future. Stay tuned! Happy Lunar New Year.

Security Notification – Schneider EVLink Parking (Dec 2018)

Preface: Electric vehicles (EVs) have no tailpipe emissions. Replacing conventional vehicles with EVs can help improve roadside air quality and reduce greenhouse gas emissions.

Technical background: Level 2 electric car chargers deliver 10 to 60 miles of range per hour of charging. They can fully charge an electric car battery in as little as two hours, making them an ideal option for both homeowners who need fast charging and businesses who want to offer charging stations to customers.

Subject matter expert:
EVlink Parking a charging stations for shared usage or on-street developed by Schneider Electric.

Vulnerabilities found:
Schneider Electric has become aware of multiple vulnerabilities in the EVLink Parking product (see below):

  • A SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could give access to the web interface with full privileges.
  • A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier
  • A Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier

Official announcement shown below url:

Cisco Security Advisory – Texas Instruments Bluetooth Low Energy Denial of Service and Remote Code Execution Vulnerability – Last Updated: 13th Dec 2018.

Preface: Key component of smart city are the IoT devices. The communication protocol of the IoT devices are Lora, SigFox and NarrowBand (NB).

Background: In realistic, smart city cannot lack of wifi setup for assistance. So, WiFi is one the key component in this family (Smart City).

Vendor Cisco follow up TI BLE chips vulnerability – CVE-2018-16986: Suggest verify with the following command on wireless AP device. If device show not support BLE function and therefore confirm device not vulnerable.

ap# show controllers bleRadio 0 interface
BLE not supported on this platform

If it is supported, please review below URL:

Amazon Web Services (AWS) FreeRTOS security advisory – Dec 2018

Preface: A Real-Time Operating System is a Necessity for IoT.

FreeRTOS is a real-time operating system kernel for embedded devices that has been ported to 35 microcontroller platforms. It is distributed under the MIT License.

Amazon Web Services (AWS) FreeRTOS vulnerabilities checklist:

CVE-2018-16522 Remote code execution

CVE-2018-16525 Remote code execution

CVE-2018-16526 Remote code execution

CVE-2018-16528 Remote code execution

CVE-2018-16523 Denial of service

CVE-2018-16524 Information leak

CVE-2018-16527 Information leak

CVE-2018-16599 Information leak

CVE-2018-16600 Information leak

CVE-2018-16601 Information leak

CVE-2018-16602 Information leak

CVE-2018-16603 Information leak

CVE-2018-16598 Other

Relevant Operating Systems: FreeRTOS up to V10.0.1 (with FreeRTOS+TCP), AWS FreeRTOS up to V1.3.1, WHIS OpenRTOS and SafeRTOS

Comment: Stay alert!

Who hinder smart city development?


The desire of human being is infinite. It create motivation and innovation. However it embedded greedy and selfishness.

Smart city major domains

In high level point of view, it is easy to interpret smart city major domains. They are Analytics,Transportation,Health & Environment.

You might ask, where is cyber security? I assumed that cyber security equivalent as a hidden parameter. They will pop up during you conduct a gap analysis (see below diagram for reference).

Who causes security gap?

When functional requirements hits design limitation, you can set out strategic solution conduct the remedy, along with a time frame for meeting those objectives.

However the unknown parameters will impact business decisions because of their expectation and budget concerns. As a result, the technology and cyber security gap will carry forward with development cycle.

A study from Hewlett Packard in 2016 concluded that 70 percent of IoT devices contain serious vulnerabilities.

The IoT devices and smart city relationship

IoT involves adding internet connectivity to a system of interrelated computing devices, mechanical and digital machines, objects, animals and/or people. The Internet of Things (IoT) form a bridge in between human and machine. As of today, key terms so called ECO system explicitly describe above mechanism. The key technology behind the success of smart city initiatives is the IoT devices. Thereby IoT devices similar an organ inside the human body. The communication in between IoT devices and IoT ECO system like human blood vessel. So, if the smart city infrastructure characteristics like human. And therefore it is hard to avoid sick and illness.

IoT security

When a electronic device has ability for external communications. A specific TCP or UDP port will operate in listen state. The traditional best practice will deploying Firewall and antivirus software. Since IoT devices OS footprint is small. For example a webcam, even though the manufacturer want to install a defense mechanism. However the design limitation restrict or without space. It could not fulfill the requirement. So IoT devices are the top attack target by cyber criminals. As we know, a so called botnet army will be control by attacker command and control server remotely.

For my observation by far, the IoT security awareness was alerted by security researcher since 2010 (see below diagram for reference).

Perhaps the product development and business trend run in fast way. The smart city and artificial intelligence boots up the growth. As of today, IoT devices implementation covered all around the world. Moreover IoT device owner learn from practice in result reduced the cyber attack hit rate. For instance do the patch management. But due to on demand business economic model (multi vendor, without common standard). It has difficult to sharpen the preventive and detective control in IoT world.

IoT now transform to 4th generation (IIoT). The Industrial Internet of Things (IIoT) or Industry 4.0 refers to interconnected sensors, instruments, and other devices networked together with computers’ industrial applications. The IIoT manufacturer especially SCADA system keen to partnership with famous antivirus vendor. For instance Siemens electronic in high priority installed Trend Micro antivirus products. However the fundamental design of SCADA systems did not focus cyber security . In light of that, on Aug 2018, the Internet Society’s Internet Engineering Task Force is working on IoT standards in areas including authentication and authorization, cryptography for IoT use cases and device life cycle management. Do you think the plethora of IoT security standards could make it difficult for a global IoT standard to emerge?

Internet of Things Embedded Operating Systems is Bad News for the Safety

IoT devices tend to use a type called RTOS, which officially is short for Real-Time Operating System. Unofficially it stands for Not-a-Full-Featured Operating System.

Below diagram bring an idea to you for reference. The Smart TVs, new generation of washing machines, Smart doorbells, Artifical intelligence lawn sprinkler systems, CCTV cameras, smart meter, motion, humidity and temprature sensor and webcam has embedded OS installed. Above IoT devices are capable for WiFi or TCP/IP connection protocol function. TCP protocol integrate to electonic devices was the best of times. But it was the worst of times since it will encountered vulnerability and Zero day attack. But it was the age of wisdom!

FreeRTOS – A real-time operating system microkernel has been developed by chip companies for over 15 years. As of today, IoT industry especially webcam, Smart home devices are deploy this operating system. But serious security flaws in FreeRTOS. The most recent known vulnerabilities are shown as below:

Remote code execution vulnerabilities: CVE-2018-16522, CVE-2018-16525, CVE-2018-16526, CVE-2018-16528.

Denial of service: CVE-2018-16523

Design flaw allow information disclosure: CVE-2018-16524, CVE-2018-16527, CVE-2018-16599, CVE-2018-16600, CVE-2018-16601, CVE-2018-16602, and CVE-2018-16603

Smart city open data platform

Basically Open data is just that – open. The baseline definition is anyone can access, share and use it free of charge to better connect and interact with their cities. Applications include real-time bus timetables, weather report and public safety information sharing initiatives. Basically Open data is just that – open. The baseline defintion is anyone can access, share and use it free of charge to better connect and interact with their cities. Applications include real-time bus timetables, weather report and public safty information sharing initiatives. But the open data platform not limit above data criteria. So it make people including myself has personal data privacy concerns.

It was the worst of times since it make people concerning personal data privacy . But it was the age of wisdom!

In New York City, open data is law, rather than just a policy. In order to driven the development of smart city. The Domain knowledge expert has the following recommendations.


Who hinder smart city development? We can say it is the technology limitation and personal data privacy concerns. Whether it was the worst of times on these matters . But it was the age of wisdom!


What is a smart city from an security point of view?


Does CUJO IoT firewall will be affected by U-Boot vulnerabilities? Nov 2018

CUJO is the most adorable home firewall on the Market. Meanwhile if a threat is detected, CUJO smart firewall will tell the cloud what it has blocked so you can receive a notification on your mobile app to confirm it.

Technical background:
Cujo product working with U-boot.
U-Boot is the bootloader. Meanwhile, it provides the basic infrastructure to bring up a board to a point where it can load a linux kernel and start booting the operating system.

Vulnerabilities found on U-Boot (CVE-2018-18439, CVE-2018-18440)
CVE-2018-18439: U-Boot filesystem image load buffer overflow
CVE-2018-18440: U-Boot insufficient boundary checks in filesystem image load

Observation: No technical information provided by Vendor (CUJO AI) in the moment. We keep our eye open whether a remedy will be issued by vendor soon.


What is a smart city from an security point of view?



The objective of the smart city is design to incorporates information and communication technologies (ICT) to enhance the quality of life. The Smart City derivatives the cost effective solution. As a result, it benefits to urban services such as energy, transportation and utilities in order to reduce resource consumption, wastage and overall costs.

2 Common Focus (Shared Data and Open Data)

People concerning the personal privacy and therefore the key words data sharing make them scare.As a matter of fact the data breach incidents happened so far let people focus their defense idea on how to protect their personal data. And therefore whatever sharing concept will trigger their defense idea. Meanwhile this is the bottleneck to slow down smart city development.

About public data – Public data is information that can be freely used, reused and redistributed by anyone with no existing local, national or international legal restrictions on access or usage.

Understanding of data classification

Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity.

The data classification scheme – definition table shown as below:

If we all agree on above data classification labels definitions. And do not have concerns (hiccups) for the terms of use set up. So do we have any other concern of smart City?

Hidden item – Technology Risk management – Whether follow the regular software patch cycle (zero day) to smart city?

From technical point of view, government facilities must follow the best practice to fulfill the patch management. However hardware manufacturer not guarantee they can remedy the vulnerability in quick manner. From some circumstances, smart city not only covered the fundemental infrastructure operation. It involves AI integration. That is business facilities join venture with government facilities. So how to maintain a secure environment? It is one of key element in smart City.


Internet of Things is growing rapidly, the common standard of smart devices will be designed with Embedded Systems (ESs). Real Time Operating Systems (RTOS) are used in ESs development due to RTOS added important features as RTOS simplifies development and makes systems more reliable. A real-time operating system (RTOS) is an operating system (OS) intended to serve real-time applications that process data as it comes in, typically without buffer delays. Most RTOS applications fall into two broad classifications. They are event response and closed-loop control.

Reference: A closed loop system is one where the output is feed back into the the system as an input in some way. For instance a thermostat.

Continuous closed-loop control

WHILE (Y <> specified_condition) 

Event response applications, such as automated visual inspection of assembly line parts, require a response to a stimulus in a certain amount of time. In this visual inspection system, for example, each part must be photographed and analyzed before the assembly line moves.

Reference: A closed loop system is one where the output is fed back into the the system as an input in some way. For instance a thermostat.

List Of Real Time Operating System in the market

IoT devices potential risk

Threat actors exploit IoT device weakness conduct cyber attack. As a result cyber security guru summarizes the following design weakness of IoT devices. Those devices are heavy deployed in smart city. For instance survillance web cam, sensor, motion detector, … etc. The design weakness are shown as below:

6 Big Security Concerns About IoT For Business

  • Default ‘Raw Data’ Storage
  • Insecure Devices.
  • Lack Of Updates
  • Hard to avoid Data Breaches
  • Difficult to compliant Data Storage policy
  • High hit rate to become a DDoS Attacks tool.

Vulnerabilities & Exposure (recently) – FreeRTOS vulnerabilities awake IoT technology weakness. Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure.

Risk factor: FreeRTOS TCP/IP Stack Vulnerabilities put a wide range of devices at risk of compromise. Researchers from Zimperium’s zLabs have analyzed FreeRTOS’s TCP/IP stack and AWS secure connectivity modules, and discovered vulnerabilities that also impact OpenRTOS and SafeRTOS.

CVE-2018-16522 Remote Code Execution
CVE-2018-16525 Remote Code Execution
CVE-2018-16526 Remote Code Eexecution
CVE-2018-16528 Remote Code Execution
CVE-2018-16523 Denial of Service
CVE-2018-16524 Information Leak
CVE-2018-16527 Information Leak
CVE-2018-16599 Information Leak
CVE-2018-16600 Information Leak
CVE-2018-16601 Information Leak
CVE-2018-16602 Information Leak
CVE-2018-16603 Information Leak
CVE-2018-16598 Other


In technology world, it is hard to avoid the vulnerability occurs. Perhaps patch management now includes in modern software and system development life cycle. There are two popular ways of disclosing vulnerabilities to software vendors.

  1. The first is called full disclosure – researchers immediately publish their vulnerability to public, giving the vendors absolutely no opportunity to release a fix.
  2. The second is called responsible disclosure, or staggered disclosure. This is where the researcher contacts the vendor before the vulnerability is released. Vendor is given a conventional 30 calendar days to fix vulnerability. Some security holes cannot be fixed easily, and require entire software systems to be rebuilt from scratch.Once both parties are satisfied with the fix that’s been produced, the vulnerability is then disclosed and given a CVE number. Regarding to above FreeRTOS vulnerabilities, Amazon addressed the issues with the release of FreeRTOS 1.3.2.But what is the remedy status of the opensource application? As far as I know, security researcher agree to give another 30 days to allow vendors to deploy the patches. However the potential risks are valid until vendor fix the security hole.

Smart City infrastructure not proprietary for famous vendor. We can use not famous brand name surveillance web cam, senor and motion detector. Could you imagine what is the actual status once the vulnerabilities occurs?


Smart City infrastructure work closely with MQTT technology.

Security Alert – Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

Security Alert! Moxa ThingsPro IIoT Gateway and Device Management Software (Oct 2018)