A botched wireless update for a remotely accessible smart lock system has bricked hundreds of them. The locks suffered a “fatal error,” according to device’s manufacturer LockState, rendering them unable to locked. Customers are asked to either return impacted locks for repair, or request a replacement.
“We realize the impact that this issue may have on you and your business and we are deeply sorry. Every employee and resource at LockState is focused on resolving this for you as quickly as possible,” wrote Nolan Mondrow, CEO of LockState in an email sent to customers last week. More than 500 customers using model 6000i RemoteLocks are impacted.Read more
A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects - known in the tech industry as the "internet of things" - which experts have long warned poses a threat to global cyber security.
The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.Read more
Lucas Lundgren sat at his desk as he watched prison cell doors hundreds of miles away from him opening and closing. He could see the various commands floating across his screen in unencrypted plain text.
"I could even issue commands like, 'all cell blocks open'," he said in a phone call last week. Without being there, he couldn't know for sure if his actions would've had real-world consequences. "I'd probably only know by reading about it in the newspaper the next day," said Lundgren, a senior security consultant at IOActive. It's because those cell doors are controlled by a little-known but popular open-source messaging protocol known as MQTT.Read more
Your Roomba may be vacuuming up more than you think. High-end models of Roomba, iRobot’s robotic vacuum, collect data as they clean, identifying the locations of your walls and furniture.
This helps them avoid crashing into your couch, but it also creates a map of your home that iRobot is considering selling to Amazon, Apple or Google. Colin Angle, chief executive of iRobot, told that a deal could come in the next two years, though iRobot said in a statement on Tuesday: “We have not formed any plans to sell data.” In the hands of a company like Amazon, Apple or Google, that data could fuel new “smart” home products.Read more
The security woes of the internet of things stem from more than just connecting a bunch of cheap gadgets to a cruel and hacker-infested internet. Often dozens of different vendors run the same third-party code across an array of products.
That means a single bug can impact a startling number of disparate devices. Or, as one security company's researchers recently found, a vulnerability in a single internet-connected security camera can expose a flaw that leaves thousands of different models of device at risk. On Tuesday, the internet-of-things-focused security firm Senrio revealed a hackable flaw it's calling "Devil's Ivy."Read more
Security researchers have discovered a number of vulnerabilities in an internet-enabled burglar alarm that could see the device being remotely switched off by an attacker.
According to a blog post, Ilia Shnaidman, head of security research at Bullguard, said that the discovery of multiple flaws in iSmartAlarm is another example of a poorly engineered device that offers attackers an easy target. The device, said Shnaidman, has flaws that can lead to full device compromise. The cube-shaped iSmartAlarm provides a fully integrated alarm system with siren, smart cameras and locks.Read more
Smart-home controllers from German company AGFEO have adopted best practice internet things security by offering an unsecured Web admin interface. The now-patched attack vectors included unauthenticated access to some services, authentication bypass, cross-site scripting (XSS) vulns, and hard-coded cryptographic keys.
The bugs were discovered by SEC Consult, and landed on Full Disclosure after the vendor finally released an update. The AGFEO ES 5xx and 6xx firmware has three certificates with their associated private keys, which would ultimately let an attacker get administrative credentials and do as they pleased.Read more
Google’s thesis to the automotive industry came packaged in a red glinting Maserati Ghibli. The luxury sedan, parked outside last year’s Google I/O developer conference, might have looked like just another sports car — a ubiquitous sight in Silicon Valley.
But what was inside captured the interest of automakers. And now, some automakers are buying into what they found, despite long-held fears of giving up too much control to outsiders like Google. “The traction we’re seeing in the car space is just ridiculous,” Patrick Brady, vice president of engineering for Android, told. “It’s surprising even to us and has caught us off guard.”Read more
Security researchers have discovered a new Internet of Things botnet dubbed Persirai targeting more than 1,000 different Internet Protocol camera models. Around 120,000 IP cameras are vulnerable to the malicious malware with many unsuspecting owners unaware that their devices are exposed to the internet.
The researchers said this makes it easier for the attackers behind the new malware to infiltrate the IP camera's web interface via TCP Port 81. Once a hacker logs into the vulnerable device's interface, the attacker can then perform a command injection to force the IP camera to connect to a download site to issue commands that download and execute malicious shell scripts.Read more
A hacker called The Janitor has created multiple versions of a program called BrickerBot, a system that searches out and bricks insecure IoT devices. A researcher named Pascal Geenens has followed the worm for a few weeks and has seen it pop up and essentially destroy infected webcams and other IoT devices.
The devices all used a Linux package called BusyBox and had exposed telnet-based interfaces with default passwords. These devices were easily exploited by the Mirai botnet, which essentially turned them into denial-of-service weapons. BrickerBot finds these devices and renders them unusable.Read more