FCC approves cybersecurity label for consumer devices

The U.S. Cyber Trust Mark aims to provide consumers with a better understanding of the security of their Internet of Things devices.

The post FCC approves cybersecurity label for consumer devices appeared first on CyberScoop.

Continue reading FCC approves cybersecurity label for consumer devices

How (and why) cyber specialists hacked a North American utility’s smart meter

The hackers behind some of the most impactful intrusions of industrial organizations in the last five years have meticulously searched for ways to move from facilities’ IT networks to the more sensitive computers that interact with machinery.  Before alleged Russian hackers cut power in Ukraine in 2015, for example, they spent many months mapping out utility computer networks and gathering grid workers’ credentials. And the hackers that triggered the 2017 shutdown of a Saudi petrochemical plant with the so-called Triton malware are known for using dozens of different tools to maintain access to IT and industrial networks. As state-sponsored hackers continue to probe U.S. infrastructure, cybersecurity experts regularly emulate those landmark attacks today to break into their clients’ networks in order to protect them. The latest example comes from Mandiant, FireEye’s incident response unit, which this week publicized the techniques it used to infiltrate a North American utility’s industrial control systems […]

The post How (and why) cyber specialists hacked a North American utility’s smart meter appeared first on CyberScoop.

Continue reading How (and why) cyber specialists hacked a North American utility’s smart meter

33 connectivity flaws render millions of IT, IoT devices vulnerable

Several sets of internet communication protocols used by major vendors of connected products have vulnerabilities that could affect millions of devices, researchers revealed on Tuesday. Four of the vulnerabilities are critical, meaning attackers could use them to remotely take over devices ranging from a “smart” refrigerator to an industrial networking switch in the electrical grid, according to the security vendor Forescout. The flaws exist in information technology, operational technology and so-called internet of things products. The Forescout study, dubbed AMNESIA:33, focuses on 33 vulnerabilities in four open-source TCP/IP stacks. TCP/IP stands for “Transmission Control Protocol/Internet Protocol,” which is used to communicate between computers. Open-source TCP/IP stacks serve as the foundational connectivity components of devices around the world. (A TCP/IP stack is an implementation of the TCP/IP protocol.) It marks the second time this year that a set of TCP/IP stack vulnerabilities emerged that could affect a large number of devices. […]

The post 33 connectivity flaws render millions of IT, IoT devices vulnerable appeared first on CyberScoop.

Continue reading 33 connectivity flaws render millions of IT, IoT devices vulnerable

‘Smart’ doorbells for sale on Amazon, eBay came stocked with security vulnerabilities

Holiday shoppers looking for a wireless-connected doorbell might want to take a closer look at the device’s security features. The U.K.-based security company NCC Group and consumer advocacy group Which? have found vulnerabilities in 11 “smart” doorbells sold on popular platforms like Amazon and eBay. One flaw could allow a remote attacker to break into the wireless network by swiping login credentials. Another critical bug, which has been around for years, could enable attackers to intercept and manipulate data on the network. The investigation focused on doorbells made by often obscure vendors, but which nonetheless earned top reviews and featured prominently on Amazon and eBay. The researchers raised concerns that some of the devices were storing sensitive data, including location data and audio and video captured by the doorbell’s camera, on insecure servers. One device made by a company called Victure, for example, sent a user’s wireless name and password, […]

The post ‘Smart’ doorbells for sale on Amazon, eBay came stocked with security vulnerabilities appeared first on CyberScoop.

Continue reading ‘Smart’ doorbells for sale on Amazon, eBay came stocked with security vulnerabilities

New WiFi chip bug affects everything from Amazon’s Echo to home routers

A large swath of internet-of-things devices are affected by a new vulnerability that could let a criminal or spy decrypt data sent over wireless connections, researchers said Wednesday. The flaw in widely used WiFi chips made by Broadcom and Cypress essentially disables the encryption key used to secure communications over popular wireless standards. Everything from certain classes of the iPhone to Amazon’s Echo could be vulnerable to attacks tested by researchers at antivirus company ESET, who discovered the vulnerability. One billion devices are affected, ESET estimated. ESET hasn’t seen any attacks in the wild exploiting this vulnerability. Yet it’s the latest reminder that, while governments in the U.S., the U.K., and elsewhere are urging IoT vendors to build more security into their products, they are up against a market that often prioritizes low costs, and convenience. “These consumer IoT devices are expanding the attack surface for enterprises,” said Robert Lipovsky, senior malware researcher at ESET, […]

The post New WiFi chip bug affects everything from Amazon’s Echo to home routers appeared first on CyberScoop.

Continue reading New WiFi chip bug affects everything from Amazon’s Echo to home routers

FTC settles with device maker D-Link, requires ‘comprehensive’ security effort

Device manufacturer D-Link Systems has agreed to implement a “comprehensive software security program” to settle Federal Trade Commission charges that the company exposed customer data to hackers while advertising top-of-the-line security measures. D-Link will not pay any financial penalties as part of the settlement, but its manufacturing process will have to threat modeling; tests for security bugs prior to a product’s release; ongoing device monitoring to address flaws; automatic firmware updates; and the acceptance of vulnerability reports from researchers. The government’s litigation against the Southern California company, which makes wireless routers and smart cameras, began in 2017. Regulators found that D-Link, despite billing its products as having “advanced network security,” actually failed to test them and did not remediate “well known and preventable security flaws.” That same year, researchers found 10 vulnerabilities in a single D-Link router model that could have been exploited to take over a device. Under the settlement, the company also will be subject […]

The post FTC settles with device maker D-Link, requires ‘comprehensive’ security effort appeared first on CyberScoop.

Continue reading FTC settles with device maker D-Link, requires ‘comprehensive’ security effort

Newly reported flaws in cameras, locks add to scrutiny of smart-home security

Homeowners trying to protect their property with surveillance cameras and smart locks may have actually made their households more vulnerable, according to security flaws unveiled by separate teams of researchers Tuesday. The Netgear Arlo system, which the company says streams more than 100 million videos every day, and certain types of Zipato smart hubs, which can lock or unlock doors, are affected by security flaws detailed in unrelated announcements from Tenable and researchers Chase Dardaman and Jason Wheeler, respectively. The discoveries again demonstrate how the same technology that promises to make life more convenient and secure also can put consumers at risk. Patches are available for both vulnerabilities, and hackers would need physical access in both cases to carry out attacks. The weakness in the Arlo devices could allow malicious outsiders to take control of all the cameras connected to a single hub, at which point they could disable the video […]

The post Newly reported flaws in cameras, locks add to scrutiny of smart-home security appeared first on CyberScoop.

Continue reading Newly reported flaws in cameras, locks add to scrutiny of smart-home security