Search This Blog

Showing posts with label IoT devices. Show all posts

Vulnerabilities with AvertX IP security cameras


Palo Alto Networks Unit 42, this February found three vulnerabilities present in AvertX IP cameras in their latest version.

These three vulnerabilities were found in models HD838 and 438IR of AvertX used as outdoor surveillance cameras with object-detection and infrared and technology built-in. The users can store the recordings both in the cloud on a Network Video Recorder (NVR) or in a memory card.

The three vulnerabilities that were found and confirmed by AvertX were:

CVE-2020-11625: User enumeration 

Faulty web user interface (UI) login attempts lead to varied results when the account doesn't exist that could enable attackers to use brute force attacks.

 CVE-2020-11624: Weak password requirements 

The software does not require users to change from the default password. When the user tries to login with the default password the pop shows 'password has been changed' but lets the user login.

 CVE-2020-11623: Exposed dangerous method or function 

An exposed UART interface exists that could be exploited by an attacker with physical access to the UART and change diagnostic and configuration functionalities.

 The Impact of these Vulnerabilities

The attackers can use a brute force attack by gaining legitimate accounts as the vulnerability allows to collect valid usernames and once the username is accessed it is easy to gain the password via brute force attack.

Since the camera can be accessed by using the default password- can easily make your camera and machine compromised. And the default password can be as easily accessed by reading a user manual, as a result, can connect to Iot devices.

Physical access to UATR ( universal asynchronous receiver-transmitter) can allow the attacker to change configurations, modify them, or even shut the camera down.

 The company AvertX, analyzed the faults and vulnerabilities and have released a patch with proper modifications and removed the UATR connector as well as changed the interface in the later produced batches.
2020 Unit 42 IoT Threat Report showed that security cameras make 5% of Interest Of Things (IoT) devices all over but they cover 33% of security issues related to IoT devices.

Bot List Containing Telnet Credentials for More than 500,000 Servers, Routers and IoT Devices Leaked Online


This week, a hacker published a list on a popular hacking forum containing Telnet credentials for over 515,000 servers, home routers and IoT (Internet of Things) "smart" devices. The massive list which reportedly was concluded by browsing the whole internet in search of devices that left their Telnet port exposed, included IP addresses of all the devices, username and password for the Telnet service and a remote access protocol that can be employed to control devices over the internet.

After scanning the Internet in search of devices exposing their Telnet port, the hacker attempts to use either factory-set default usernames and passwords or custom but guessable combinations, as per the statements by the leaker himself.

These lists, generally kept private – are known as 'bot lists' that are built after hackers scan the Internet and then employed them to connect to the devices and install malware. Sources say that although there have been some leaks in the past, this one is recorded as the biggest leak of Telnet passwords till date.

As per the reports of ZDNet, the list was made available online by one of a DDoS-for-hire (DDoS booter) service's maintainer. There's a probability that some of these devices might now run on a different IP address or use other login credentials as all the leaked lists are dated around October-November 2019. Given that using any of the listed username and password to access any of the devices would be illegal, ZDNet did not use it. Therefore, they were not able to comment on the validity of these credentials.

A security expert in the field of IoT, requesting for anonymity, tells that even if some of the listed credentials are invalid by the time for devices now have a new IP address or password. However, the listings still hold a lot of value for a skillful and talented attacker who can possibly use the present information in the list to identify the service provider and hence update the list with the current IP addresses.

Certain authentic and verified security researchers are given access to the list of credentials as they volunteered for it.

IoT Devices Fall Prey to Attacks up to 10 Crore by Hackers


With more than 40 lakh attacks on IoT (Internet of Things) devices, India is among one of the Top 10 Victims Countries lists in the world. This can be a disappointment for Tech Freaks and companies that have just begun using IoT devices but don't consider protecting their IoT devices such as smart cameras. Hackers didn't even flinch while penetrating the systems. That's how simple the breakthrough was.


Simple methods like password guessing are used for getting the entry in IoT devices. Some sufferers of these attacks set passwords as naive as 'Admin.' And now, India has made it to the index of the top 10 countries that fell prey to IoT attacks in 2019. As shocking as the disturbance was, all of these hacks have happened in just the first half of the year. Nevertheless, it's ironical that India wasn't on this list at the same time last year. That is how distressing the circumstance has become.

In a study titled, 'IoT: A Malware Story,' Kaspersky, a cybersecurity company, says "There is an immense explosion in smart technologies like routers and smart cameras but people hardly care to guard them against cyber invasions, cyber safety solutions." This is due to a massive number of attacks happening in the first half of the year 2019. “Kasperky's honey pots (used as baits by the company to lure hackers) caught 10.5 crore invasions on IoT gadgets from 276,000 different IPs in contrast to 12 million invasions arising from 69,000 IPs in the very time previous year,” said its report.

The increase of IoT gadgets and lack of knowledge on cyber safety make this a sweet harvest for hackers. Invasions on IoT gadgets traversed 10-crore line in the first half of 2019, 9 times the number of attacks happened in the year 2018 at the same time. The Honey pots used as baits to catch the hackers have obtained fascinating knowledge about the manner of working of the hackers. Fortunately, the invasions on IoT gadgets are not complicated. However, lack of knowledge leads to attacks on IoT gadgets. Clicking on vulnerable links in IoT systems, hackers have sharpened their drives to ship into IoT devices and make a profit.

Around 25 million Home Voice Assistants vulnerable to hacking globally

          





According to a cybersecurity report of McAfee, over 25 million voice assistants which are connected  IoT(internet of things ) devices at home globally are at huge risk of hacking.

Raj Samani, McAfee Fellow and Chief Scientist at McAfee said “ Most IoT devices are being compromised by exploiting rudimentary vulnerabilities, such as easily guessable passwords and insecure default settings”

He further added that “From building botnets, to stealing banking credentials, perpetrating click fraud, or threatening reputation damage unless a ransom is paid, money is the ultimate goal for criminals,”

The hackers around the world are exploiting basic vulnerabilities of IoT devices like easily guessable passwords, weak security settings, exploitation through voice commands.

According to the “Mobile threat report” from McAfee, there has been a 550 percent increase in security vulnerabilities related to fake apps in the second half of 2018.

According to the report “"Most notably, the number of fake app detections by McAfee's Global Threat Intelligence increased from around 10,000 in June 2018 to nearly 65,000 in December 2018,"

 Gary Davis, Chief Consumer Security Evangelist at McAfee said "The rapid growth and broad access to connected IoT devices push us to deliver innovations with our partners that go beyond traditional anti-virus. We are creating solutions that address real-world digital security challenges,"


McAfee and Samsung are now in partnership to secure Samsung Galaxy S10 devices from a malicious hacking attempt