Embedded Devices | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have disclosed  two unpatched security vulnerabilities  in the open-source U-Boot boot loader. The issues, which were uncovered in the  IP defragmentation  algorithm implemented in U-Boot by NCC Group, could be abused to achieve arbitrary out-of-bounds write and denial-of-service (DoS). U-Boot is a  boot loader  used in Linux-based embedded systems such as ChromeOS as well as ebook readers such as Amazon Kindle and Kobo eReader. The issues are summarized below - CVE-2022-30790  (CVSS score: 9.6) - Hole Descriptor overwrite in U-Boot IP packet defragmentation leads to an arbitrary out-of-bounds write primitive. CVE-2022-30552  (CVSS score: 7.1) - Large buffer overflow leads to DoS in U-Boot IP packet defragmentation code It's worth noting that both the flaws are exploitable only from the local network. But doing so can enable an attacker to root the devices and lead to a DoS by crafting a malformed packet. The shortcomings are expected to be addr

Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a device's wireless communications. The six flaws were  reported  by researchers from Israeli IoT security firm Vdoo. The  Realtek RTL8195A  module is a standalone, low-power-consumption Wi-Fi hardware module targeted at embedded devices used in several industries such as agriculture, smart home, healthcare, gaming, and automotive sectors. It also makes use of an "Ameba" API, allowing developers to communicate with the device via Wi-Fi, HTTP, and  MQTT , a lightweight messaging protocol for small sensors and mobile devices. Although the issues uncovered by Vdoo were verified only on RTL8195A, the researchers said they extend to other modules as well, including RTL8711AM, RTL8711AF, and RTL8710AF. The flaws concern a mix of stack overflow, and out-of-bounds reads that stem from the Wi-Fi module's WPA2  fo

It comes as no surprise that today's cyber threats are orders of magnitude more complex than those of the past. And the ever-evolving tactics that attackers use demand the adoption of better, more holistic and consolidated ways to meet this non-stop challenge. Security teams constantly look for ways to reduce risk while improving security posture, but many approaches offer piecemeal solutions – zeroing in on one particular element of the evolving threat landscape challenge – missing the forest for the trees.  In the last few years, Exposure Management has become known as a comprehensive way of reigning in the chaos, giving organizations a true fighting chance to reduce risk and improve posture. In this article I'll cover what Exposure Management is, how it stacks up against some alternative approaches and why building an Exposure Management program should be on  your 2024 to-do list. What is Exposure Management?  Exposure Management is the systematic identification, evaluation,

Security researchers have discovered almost a dozen zero-day vulnerabilities in VxWorks, one of the most widely used real-time operating systems (RTOS) for embedded devices that powers over 2 billion devices across aerospace, defense, industrial, medical, automotive, consumer electronics, networking, and other critical industries. According to a new report Armis researchers shared with The Hacker News prior to its release, the vulnerabilities are collectively dubbed as URGENT/11 as they are 11 in total, 6 of which are critical in severity leading to 'devastating' cyberattacks. Armis Labs is the same IoT security company that previously discovered the BlueBorne vulnerabilities in Bluetooth protocol that impacted more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT). These vulnerabilities could allow remote attackers to bypass traditional security solutions and take full control over affected devices or "cause disruption on

A security researcher has discovered several critical vulnerabilities in one of the most popular embedded real-time operating systems—called FreeRTOS—and its other variants, exposing a wide range of IoT devices and critical infrastructure systems to hackers. What is FreeRTOS (Amazon, WHIS OpenRTOS, SafeRTOS)? FreeRTOS is a leading open source real-time operating system (RTOS) for embedded systems that has been ported to over 40 microcontrollers, which are being used in IoT, aerospace, medical, automotive industries, and more. RTOS has specifically been designed to carefully run applications with very precise timing and a high degree of reliability, every time. A pacemaker is an excellent example of the real-time embedded system that contracts heart muscle at the right time, a process that can't afford delays, to keep a person alive. Since late last year, FreeRTOS project is being managed by Amazon, who created Amazon FreeRTOS (a:FreeRTOS) IoT operating system for mic

No matter how smart and fast your devices would be, the biggest issue is always with the battery technology. Whenever you go to buy any electronic gadget — smartphone, laptop, or any wearable — the most important specification isn't its processor speed or its camera quality but its Battery Backup , which is not getting better any time soon. What if you could eliminate the very thing entirely? Well, that's exactly what the electrical engineers from the University of Washington has developed. A team of researchers from the University of Washington's Sensor Lab and the Delft University of Technology has developed a new gadget that doesn't need a battery or any external power source to keep it powered; rather it works on radio waves. So, this means you have to turn on your radio every time to keep this device charged. Right? No, you don't need to do this at all, because the device sucks radio waves out of the air and then converts them into electricity. Wireless Ident

Millions of embedded devices, including home routers, modems, IP cameras, VoIP phones, are shareing the same hard-coded SSH (Secure Shell) cryptographic keys or HTTPS (HTTP Secure) server certificates that expose them to various types of malicious attacks. A new analysis by IT security consultancy SEC Consult shows that the lazy manufacturers of the Internet of Things (IoTs) and Home Routers are reusing the same set of hard-coded cryptographic keys, leaving devices open to Hijacking. In simple words, this means that if you are able to access one device remotely, you can possibly log into hundreds of thousands of other devices – including the devices from different manufacturers. Re-Using Same Encryption Keys In its survey of IoT devices , the company studied 4,000 embedded devices from 70 different hardware vendors, ranging from simple home routers to Internet gateway servers, and discovered that… …over 580 unique private cryptographic keys for SSH and HTTPS a

Cyber criminals are using new malware variants by exploiting GNU Bash vulnerability referred to as ShellShock ( CVE-2014-6271 ) in order to infect embedded devices running BusyBox software, according to a researcher. A new variant of " Bashlite " malware targeting devices running BusyBox software was spotted by the researchers at Trend Micro shortly after the public disclosure of the ShellShock vulnerability. BusyBox provides set of command line utilities that are specifically designed to run in constrained embedded environments. At compile time, different capabilities can be left out, reducing the size of the binaries, and efforts are made to make them memory efficient. This makes the software an excellent candidate for use in consumer electronics devices, which seem to have been the items of interest in this case. The malware variant, detected as ELF_BASHLITE.A (ELF_FLOODER.W) , when executed on victim's machine, scans compromised networks for device