Tag Archives: Def Con

Internet of Things update

John Leyden for The Register: Looking after the corporate Apple mobile fleet? Beware: MDM onboarding is ‘insecure’ –  “Hackers can blow holes in Apple’s managed service technology and sneak their own rogue devices onto corporate fleets of mobile iThings.

Weaknesses in Apple’s Device Enrollment Program (DEP) allow the ne’er-do-wells to run targeted attacks on both the networks of the corporate shiny-shiny and the backend systems that support them, researchers at Duo Security warned.”

Catalin Cimpanu for ZDnet: Researchers find vulnerability in Apple’s MDM DEP process – “Vulnerability could lead to attackers enrolling malicious devices in enterprise networks, researchers say.”

The Duo Labs paper is available from here: Weak Apple DEP Authentication Leaves Enterprises Vulnerable to Social Engineering Attacks and Rogue Devices


Talos Intelligence: VPNFilter III: More Tools for the Swiss Army Knife of Malware – “Cisco Talos recently discovered seven additional third-stage VPNFilter modules that add significant functionality to the malware, including an expanded ability to exploit endpoint devices from footholds on compromised network devices. The new functions also include data filtering and multiple encrypted tunneling capabilities to mask command and control (C2) and data exfiltration traffic.”


Softpedia: Study Finds 83 Percent of Home Routers are Vulnerable to Attacks – “A study published by The American Consumer Institute found that out of a sample of 186 home routers, 83% of them were exposed to security attacks because of known vulnerabilities in their firmware.” The study is available here: New Study Warns of Inadequate Security Provisions in Home and Office Routers


Help Net: Connected car security is improving, researchers say  Referring to this report from IOactive: Commonalities in Vehicle Vulnerabilities – 2018 Remix


Help Net: Hackers are finding creative ways to target connected medical devices.  Refers to this Zingbox paper: Discovery of Cyberattack Trends Targeting Connected Medical Device [sic] – “Detailed analysis of hackers leveraging device error messages”


Shaun Nichols for The Register: DEF CON hackers’ dossier on US voting machine security is just as grim as feared

“The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies.”

David Harley

Advertisements

Thermostat Hacking – a Hot Topic

At this year’s Def Con, Andrew Tierney and Ken Munro demonstrated how they created full-blown ransomware to take control of an unnamed brand of smart thermostat ‘and lock the user out until they paid up.’

  • Thermostat Ransomware: a lesson in IoT security. They observe that ‘Our intention was to draw attention to the poor state of security in many domestic IoT devices. Also to raise awareness in the security research community that it’s not all about software hacking. Hardware hacking is often an easier vector.’

  • Commentary by The Register: Thermostat ransomware

It’s not clear right now whether this is another aspect of the story noted by Security Week about Vulnerabilities Exposed Trane Thermostats to Remote Hacking, based on research by Jeff Kitson for Trustwave. But it sounds very similar.

David Harley