The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: Internet of Things

Fighting the Rogue Toaster Army: Why Secure Coding in Embedded Systems is Our Defensive Edge

Fighting the Rogue Toaster Army: Why Secure Coding in Embedded Systems is Our Defensive Edge

September 09, 2021The Hacker News
There are plenty of pop culture references to rogue AI and robots, and appliances turning on their human masters. It is the stuff of science fiction, fun, and fantasy, but with IoT and connected devices becoming more prevalent in our homes, we need more discussion around cybersecurity and safety. Software is all around us, and it's very easy to forget just how much we're relying on lines of code to do all those clever things that provide us so much innovation and convenience. Much like web-based software, APIs, and mobile devices, vulnerable code in embedded systems can be exploited if it is uncovered by an attacker.  While it's unlikely that an army of toasters is coming to enslave the human race (although, the  Tesla bot  is a bit concerning) as the result of a cyberattack, malicious cyber events are still possible. Some of our cars, planes, and medical devices also rely on intricate embedded systems code to perform key tasks, and the prospect of these objects being compromised i
A Critical Random Number Generator Flaw Affects Billions of IoT Devices

A Critical Random Number Generator Flaw Affects Billions of IoT Devices

August 09, 2021Ravie Lakshmanan
A critical vulnerability has been disclosed in hardware random number generators used in billions of Internet of Things (IoT) devices whereby it fails to properly generate random numbers, thus undermining their security and putting them at risk of attacks. "It turns out that these 'randomly' chosen numbers aren't always as random as you'd like when it comes to IoT devices," Bishop Fox researchers Dan Petro and Allan Cecil  said  in an analysis published last week. "In fact, in many cases, devices are choosing encryption keys of 0 or worse. This can lead to a catastrophic collapse of security for any upstream use." Random number generation ( RNG ) is a  crucial process  that undergirds several cryptographic applications, including key generation, nonces, and salting. On traditional operating systems, it's derived from a cryptographically secure pseudorandom number generator (CSPRNG) that uses entropy obtained from a high-quality seed source.
Microsoft Finds 'BadAlloc' Flaws Affecting Wide-Range of IoT and OT Devices

Microsoft Finds 'BadAlloc' Flaws Affecting Wide-Range of IoT and OT Devices

April 30, 2021Ravie Lakshmanan
Microsoft researchers on Thursday disclosed two dozen vulnerabilities affecting a wide range of Internet of Things (IoT) and Operational Technology (OT) devices used in industrial, medical, and enterprise networks that could be abused by adversaries to execute arbitrary code and even cause critical systems to crash. "These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology, and industrial control systems,"  said  Microsoft's 'Section 52' Azure Defender for IoT research group. The flaws have been collectively named " BadAlloc ," for they are rooted in standard  memory allocation functions  spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. A lack of proper input validations associated with these memory allocation functions
Amazon Alexa Bugs Could've Let Hackers Install Malicious Skills Remotely

Amazon Alexa Bugs Could've Let Hackers Install Malicious Skills Remotely

August 13, 2020Ravie Lakshmanan
Attention! If you use Amazon's voice assistant Alexa in you smart speakers, just opening an innocent-looking web-link could let attackers install hacking skills on it and spy on your activities remotely. Check Point cybersecurity researchers—Dikla Barda, Roman Zaikin and Yaara Shriki—today disclosed severe security vulnerabilities in Amazon's Alexa virtual assistant that could render it vulnerable to a number of malicious attacks. According to a new report released by Check Point Research and shared with The Hacker News, the "exploits could have allowed an attacker to remove/install skills on the targeted victim's Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill." "Smart speakers and virtual assistants are so commonplace that it's easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes,"
New Ripple20 Flaws Put Billions of Internet-Connected Devices at Risk of Hacking

New Ripple20 Flaws Put Billions of Internet-Connected Devices at Risk of Hacking

June 16, 2020Mohit Kumar
The Department of Homeland Security and CISA ICS-CERT today issued a critical security advisory warning about over a dozen newly discovered vulnerabilities affecting billions of Internet-connected devices manufactured by many vendors across the globe. Dubbed " Ripple20 ," the set of 19 vulnerabilities resides in a low-level TCP/IP software library developed by Treck, which, if weaponized, could let remote attackers gain complete control over targeted devices—without requiring any user interaction. According to Israeli cybersecurity company JSOF—who discovered these flaws—the affected devices are in use across various industries, ranging from home/consumer devices to medical, healthcare, data centers, enterprises, telecom, oil, gas, nuclear, transportation, and many others across critical infrastructure. "Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An
New Bluetooth Vulnerability Exposes Billions of Devices to Hackers

New Bluetooth Vulnerability Exposes Billions of Devices to Hackers

May 19, 2020Ravie Lakshmanan
Academics from École Polytechnique Fédérale de Lausanne (EPFL) disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion of modern devices to hackers. The attacks, dubbed Bluetooth Impersonation AttackS or BIAS, concern Bluetooth Classic, which supports Basic Rate (BR) and Enhanced Data Rate (EDR) for wireless data transfer between devices. "The Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment," the researchers outlined in the paper. "Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade." Given the widespread impact of the vulnerability, the researchers said they responsibly disclosed the findings to the Bluetooth Special Interest Group (SIG), the organization that oversees the development o
Researchers Uncover Novel Way to De-anonymize Device IDs to Users' Biometrics

Researchers Uncover Novel Way to De-anonymize Device IDs to Users' Biometrics

April 28, 2020Ravie Lakshmanan
Researchers have uncovered a potential means to profile and track online users using a novel approach that combines device identifiers with their biometric information. The details come from a newly published research titled "Nowhere to Hide: Cross-modal Identity Leakage between Biometrics and Devices" by a group of academics from the University of Liverpool, New York University, The Chinese University of Hong Kong, and University at Buffalo SUNY. "Prior studies on identity theft only consider the attack goal for a single type of identity, either for device IDs or biometrics," Chris Xiaoxuan Lu, Assistant Professor at the University of Liverpool, told The Hacker News in an email interview. "The missing part, however, is to explore the feasibility of compromising the two types of identities simultaneously and deeply understand their correlation in multi-modal IoT environments." The researchers presented the findings at the Web Conference 2020 held
How to transform your revolutionary idea into a reality: $100K Nokia Bell Labs Prize

How to transform your revolutionary idea into a reality: $100K Nokia Bell Labs Prize

April 15, 2020The Hacker News
Revolutionary ideas in science, technology, engineering, and mathematics don't occur every day. But when those "eureka" moments happen, we need to provide a forum to explore those ideas, judge them on their merits, and distinguish the extraordinary from the merely good. Once a year, Nokia Bell Labs makes that forum a reality, where robust proposals that have the potential to revolutionize the future of human experience are presented and debated. If you think your idea could be one of them, the Nokia Bell Labs Prize is for you. Solving challenges that connect humans, systems, things, infrastructure, or processes, the 2020 Nokia Bell Labs Prize is an opportunity for innovators around the world to collaborate with world-renowned Nokia Bell Labs researchers and transform their ideas into prototypes of the future. What kind of ideas are we talking about? Big, bold, and bordering on audacious, they should have far-reaching, humanity-changing implications. Previous
Critical Flaw in GoAhead Web Server Could Affect Wide Range of IoT Devices

Critical Flaw in GoAhead Web Server Could Affect Wide Range of IoT Devices

December 04, 2019Mohit Kumar
Cybersecurity researchers today uncovered details of two new vulnerabilities in the GoAhead web server software, a tiny application widely embedded in hundreds of millions of Internet-connected smart devices. One of the two vulnerabilities, assigned as CVE-2019-5096, is a critical code execution flaw that can be exploited by attackers to execute malicious code on vulnerable devices and take control over them. The first vulnerability resides in the way multi-part/form-data requests are processed within the base GoAhead web server application, affecting GoAhead Web Server versions v5.0.1, v.4.1.1, and v3.6.5. According to the researchers at Cisco Talos, while processing a specially crafted HTTP request, an attacker exploiting the vulnerability can cause use-after-free condition on the server and corrupt heap structures, leading to code execution attacks. The second vulnerability, assigned as CVE-2019-5097, also resides in the same component of the GoAhead Web Server and can be
Critical Flaws Found in VxWorks RTOS That Powers Over 2 Billion Devices

Critical Flaws Found in VxWorks RTOS That Powers Over 2 Billion Devices

July 29, 2019Swati Khandelwal
Security researchers have discovered almost a dozen zero-day vulnerabilities in VxWorks, one of the most widely used real-time operating systems (RTOS) for embedded devices that powers over 2 billion devices across aerospace, defense, industrial, medical, automotive, consumer electronics, networking, and other critical industries. According to a new report Armis researchers shared with The Hacker News prior to its release, the vulnerabilities are collectively dubbed as URGENT/11 as they are 11 in total, 6 of which are critical in severity leading to 'devastating' cyberattacks. Armis Labs is the same IoT security company that previously discovered the BlueBorne vulnerabilities in Bluetooth protocol that impacted more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT). These vulnerabilities could allow remote attackers to bypass traditional security solutions and take full control over affected devices or "cause disruption on
Someone Hacked 50,000 Printers to Promote PewDiePie YouTube Channel

Someone Hacked 50,000 Printers to Promote PewDiePie YouTube Channel

December 01, 2018Mohit Kumar
This may sound crazy, but it's true! The war for "most-subscribed Youtube channel" crown between T-Series and PewDiePie just took an interesting turn after a hacker yesterday hijacked more than 50,000 internet-connected printers worldwide to print out flyers asking everyone to subscribe to PewDiePie YouTube channel. PewDiePie, whose real name is Felix Kjellberg, is a famous YouTuber from Sweden known for his game commentary and pranks and has had the most subscribers on YouTube since 2013. However, the channel owned by Bollywood record label T-Series has been catching up in recent months, and now both are hovering around 72.5 million YouTube subscribers. From this fear that PewDiePie won't remain the number one most-subscribed YouTuber in the world, an anonymous hacker (probably his die-hard fan) with the Twitter username " TheHackerGiraffe " came up with a hackish idea. TheHackerGiraffe scanned the Internet to find the list of vulnerable printers
Microsoft built its own custom Linux OS to secure IoT devices

Microsoft built its own custom Linux OS to secure IoT devices

April 17, 2018Swati Khandelwal
Finally, it's happening. Microsoft has built its own custom Linux kernel to power " Azure Sphere ," a newly launched technology that aims to better secure billions of " Internet of things " devices by combining the custom Linux kernel with new chip design, and its cloud security service. Project Azure Sphere focuses on protecting microcontroller-based IoT devices, including smart appliances, connected toys, and other smart gadgets, Microsoft announced during the security-focused RSA Conference in San Francisco Monday. It is basically a security package consists of three main components: Azure Sphere-certified microcontrollers (MCUs) Azure Sphere OS Azure Sphere Security Service "Azure Sphere provides security that starts in the hardware and extends to the cloud, delivering holistic security that protects, detects, and responds to threats—so they're always prepared," Microsoft said. Internet of Things (IoT) devices are 'ridicu
Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer

Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer

April 16, 2018Wang Wei
Internet-connected technology, also known as the Internet of Things (IoT), is now part of daily life, with smart assistants like Siri and Alexa to cars, watches, toasters, fridges, thermostats, lights, and the list goes on and on. But of much greater concern, enterprises are unable to secure each and every device on their network, giving cybercriminals hold on their network hostage with just one insecure device. Since IoT is a double-edged sword, it not only poses huge risks to enterprises worldwide but also has the potential to severely disrupt other organisations, or the Internet itself . There's no better example than Mirai , the botnet malware that knocked the world's biggest and most popular websites offline for few hours over a year ago. We have another great example that showcases how one innocent looking insecure IoT device connected to your network can cause security nightmares. Nicole Eagan, the CEO of cybersecurity company Darktrace, told attendees at
Critical Unpatched Flaws Disclosed In Western Digital 'My Cloud' Storage Devices

Critical Unpatched Flaws Disclosed In Western Digital 'My Cloud' Storage Devices

January 05, 2018Swati Khandelwal
Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital's My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device. Western Digital's My Cloud (WDMyCloud) is one of the most popular network-attached storage devices which is being used by individuals and businesses to host their files, and automatically backup and sync them with various cloud and web-based services. The device lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time. Since these devices have been designed to be connected over the Internet, the hardcoded backdoor would leave user data open to hackers. GulfTech research and development team has recently published an advisory detailing a hardcoded backdoor and several vulnerabilities it found in WD My Cloud storage devices that could allow remote attackers to
Hacker Distributes Backdoored IoT Vulnerability Scanning Script to Hack Script Kiddies

Hacker Distributes Backdoored IoT Vulnerability Scanning Script to Hack Script Kiddies

November 08, 2017Swati Khandelwal
Nothing is free in this world. If you are searching for free hacking tools on the Internet, then beware—most freely available tools, claiming to be the swiss army knife for hackers, are nothing but a scam. For example, Cobian RAT and a Facebook hacking tool that we previously reported on The Hacker News actually could hack, but of the one who uses them and not the one you desire to hack. Now, a security researcher has spotted another hacking tool—this time a PHP script—which is freely available on multiple popular underground hacking forums and allows anyone to find vulnerable internet-connected IP Cameras running the vulnerable version of GoAhead embedded web-server. However, after closely analysing the scanning script, Newsky Security researcher Ankit Anubhav found that the tool also contains a secret backdoor, which essentially allows its creator to " hack the hacker. " "For an attacker's point of view, it can be very beneficial to hack a hacker,"
Smart Devices Can Be Hijacked to Track Your Body Movements And Activities Remotely

Smart Devices Can Be Hijacked to Track Your Body Movements And Activities Remotely

August 20, 2017Unknown
If your smartphones, tablets, smart refrigerators, smart TVs and other smart devices are smart enough to make your life easier, their smart behavior could also be leveraged by hackers to steal data, invade your privacy or spy on you, if not secured properly. One such experiment has recently been performed by a team of student hackers, demonstrating a new attack method to turn smart devices into spying tools that could track your every move, including inferring sexual activity. Dubbed CovertBand , the attack has been developed by four researchers at the University of Washington's Paul G. Allen School of Computer Science & Engineering, and is so powerful that it can record what a person is doing through a wall. The CovertBand tracking system makes use of the built-in microphones and speakers—found in smartphones, laptops, tablets, smart assistant and other smart devices—as a receiver to pick up reflected sound waves, tracking the movements of anyone near the audio sourc
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.