The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Embedded Devices

Unpatched Critical Flaws Disclosed in U-Boot Bootloader for Embedded Devices

Unpatched Critical Flaws Disclosed in U-Boot Bootloader for Embedded Devices
June 06, 2022Ravie Lakshmanan
Cybersecurity researchers have disclosed  two unpatched security vulnerabilities  in the open-source U-Boot boot loader. The issues, which were uncovered in the  IP defragmentation  algorithm implemented in U-Boot by NCC Group, could be abused to achieve arbitrary out-of-bounds write and denial-of-service (DoS). U-Boot is a  boot loader  used in Linux-based embedded systems such as ChromeOS as well as ebook readers such as Amazon Kindle and Kobo eReader. The issues are summarized below - CVE-2022-30790  (CVSS score: 9.6) - Hole Descriptor overwrite in U-Boot IP packet defragmentation leads to an arbitrary out-of-bounds write primitive. CVE-2022-30552  (CVSS score: 7.1) - Large buffer overflow leads to DoS in U-Boot IP packet defragmentation code It's worth noting that both the flaws are exploitable only from the local network. But doing so can enable an attacker to root the devices and lead to a DoS by crafting a malformed packet. The shortcomings are expected to be addr

Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices

Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices
February 04, 2021Ravie Lakshmanan
Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a device's wireless communications. The six flaws were  reported  by researchers from Israeli IoT security firm Vdoo. The  Realtek RTL8195A  module is a standalone, low-power-consumption Wi-Fi hardware module targeted at embedded devices used in several industries such as agriculture, smart home, healthcare, gaming, and automotive sectors. It also makes use of an "Ameba" API, allowing developers to communicate with the device via Wi-Fi, HTTP, and  MQTT , a lightweight messaging protocol for small sensors and mobile devices. Although the issues uncovered by Vdoo were verified only on RTL8195A, the researchers said they extend to other modules as well, including RTL8711AM, RTL8711AF, and RTL8710AF. The flaws concern a mix of stack overflow, and out-of-bounds reads that stem from the Wi-Fi module's WPA2  fo

Critical Flaws Found in VxWorks RTOS That Powers Over 2 Billion Devices

Critical Flaws Found in VxWorks RTOS That Powers Over 2 Billion Devices
July 29, 2019Swati Khandelwal
Security researchers have discovered almost a dozen zero-day vulnerabilities in VxWorks, one of the most widely used real-time operating systems (RTOS) for embedded devices that powers over 2 billion devices across aerospace, defense, industrial, medical, automotive, consumer electronics, networking, and other critical industries. According to a new report Armis researchers shared with The Hacker News prior to its release, the vulnerabilities are collectively dubbed as URGENT/11 as they are 11 in total, 6 of which are critical in severity leading to 'devastating' cyberattacks. Armis Labs is the same IoT security company that previously discovered the BlueBorne vulnerabilities in Bluetooth protocol that impacted more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT). These vulnerabilities could allow remote attackers to bypass traditional security solutions and take full control over affected devices or "cause disruption on

Critical Flaws Found in Amazon FreeRTOS IoT Operating System

Critical Flaws Found in Amazon FreeRTOS IoT Operating System
October 19, 2018Swati Khandelwal
A security researcher has discovered several critical vulnerabilities in one of the most popular embedded real-time operating systems—called FreeRTOS—and its other variants, exposing a wide range of IoT devices and critical infrastructure systems to hackers. What is FreeRTOS (Amazon, WHIS OpenRTOS, SafeRTOS)? FreeRTOS is a leading open source real-time operating system (RTOS) for embedded systems that has been ported to over 40 microcontrollers, which are being used in IoT, aerospace, medical, automotive industries, and more. RTOS has specifically been designed to carefully run applications with very precise timing and a high degree of reliability, every time. A pacemaker is an excellent example of the real-time embedded system that contracts heart muscle at the right time, a process that can't afford delays, to keep a person alive. Since late last year, FreeRTOS project is being managed by Amazon, who created Amazon FreeRTOS (a:FreeRTOS) IoT operating system for mic

This Tiny Computer has no Battery, Powered Wirelessly from Radio Waves

This Tiny Computer has no Battery, Powered Wirelessly from Radio Waves
April 27, 2016Swati Khandelwal
No matter how smart and fast your devices would be, the biggest issue is always with the battery technology. Whenever you go to buy any electronic gadget — smartphone, laptop, or any wearable — the most important specification isn't its processor speed or its camera quality but its Battery Backup , which is not getting better any time soon. What if you could eliminate the very thing entirely? Well, that's exactly what the electrical engineers from the University of Washington has developed. A team of researchers from the University of Washington's Sensor Lab and the Delft University of Technology has developed a new gadget that doesn't need a battery or any external power source to keep it powered; rather it works on radio waves. So, this means you have to turn on your radio every time to keep this device charged. Right? No, you don't need to do this at all, because the device sucks radio waves out of the air and then converts them into electricity. Wireless Ident

Millions of IoT Devices Using Same Hard-Coded CRYPTO Keys

Millions of IoT Devices Using Same Hard-Coded CRYPTO Keys
November 27, 2015Swati Khandelwal
Millions of embedded devices, including home routers, modems, IP cameras, VoIP phones, are shareing the same hard-coded SSH (Secure Shell) cryptographic keys or HTTPS (HTTP Secure) server certificates that expose them to various types of malicious attacks. A new analysis by IT security consultancy SEC Consult shows that the lazy manufacturers of the Internet of Things (IoTs) and Home Routers are reusing the same set of hard-coded cryptographic keys, leaving devices open to Hijacking. In simple words, this means that if you are able to access one device remotely, you can possibly log into hundreds of thousands of other devices – including the devices from different manufacturers. Re-Using Same Encryption Keys In its survey of IoT devices , the company studied 4,000 embedded devices from 70 different hardware vendors, ranging from simple home routers to Internet gateway servers, and discovered that… …over 580 unique private cryptographic keys for SSH and HTTPS a

BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox

BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox
November 17, 2014Swati Khandelwal
Cyber criminals are using new malware variants by exploiting GNU Bash vulnerability referred to as ShellShock ( CVE-2014-6271 ) in order to infect embedded devices running BusyBox software, according to a researcher. A new variant of " Bashlite " malware targeting devices running BusyBox software was spotted by the researchers at Trend Micro shortly after the public disclosure of the ShellShock vulnerability. BusyBox provides set of command line utilities that are specifically designed to run in constrained embedded environments. At compile time, different capabilities can be left out, reducing the size of the binaries, and efforts are made to make them memory efficient. This makes the software an excellent candidate for use in consumer electronics devices, which seem to have been the items of interest in this case. The malware variant, detected as ELF_BASHLITE.A (ELF_FLOODER.W) , when executed on victim's machine, scans compromised networks for device
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.