Sam Stelfox

Smart home cybersecurity news roundup [August 2019 edition]

There were numerous vulnerabilities discovered in the past month's time that targeted billions of IoT devices. In this edition of our smart home cybersecurity news roundup, we'll dive into the vulnerabilities that caused a critical "Update Now" warning for IoT devices using VxWorks OS and multiple security exploits for the Google Nest Cam IQ.

11 zero-day vulnerabilities found in the most widely used IoT device OS

On July 29, 2019, the research team behind enterprise IoT security company Armis disclosed that they had found 11 zero-day vulnerabilities in VxWorks, a real-time operating system that powers more than 2 billion IoT devices...

 

As explained in the video and the full disclosure, the vulnerabilities referred to as URGENT/11 impacted IPnet, the VxWorks TCP/IP Stack, and essentially allow for remote takeover of any impacted device. While VxWorks is a popular operating system for mission-critical industrial, medical, and manufacturing devices, it is also found in certain networking equipment, like: routers, modems, VoIP phones and printers.

URGENT/11 impacts all versions of VxWorks since version 6.5, and resembles the likes of the vulnerability that was used to spread WannaCry across the world back in May 2017. Breaking down URGENT/11 further, there are:

  • 6 vulnerabilities classified as critical due to their enablement of Remote Code Execution (RCE), which basically allows for an attacker to gain control of the device from anywhere.
  • 5 vulnerabilities classified as denial of service, information leaks, or logical flaws— all of which still require no user interaction to carry out.

As of the time of the public disclosure, Armis was able to work with Wind River Sytems, the company behind VxWorks, to develop security patches and mitigate future threats. Manufacturers of affected devices were also promptly notified and directed to the Wind River Security Alert for details of any remediation efforts.

More information about URGENT/11 can be found in the Armis technical white paper and in the Wind River Systems disclosure response.

8 major vulnerabilities found in the Google Nest Cam IQ Indoor

bigstock-nest-labs-app-2018

On August 19, 2019, Cisco Talos security intelligence researchers Lilith Wyatt and Claudio Bozzato released their findings detailing the 8 vulnerabilities discovered in the Google Nest Cam IQ— a popular device for the smart home and one of Amazon's best selling Home Security & Surveillance cameras. The vulnerabilities found in the Google Nest Cam IQ can cause information leakage, denial of service, and RCE.

The Cisco Talos disclosure states that the 8 vulnerabilities affect the Weave protocol of the smart device:

"[Google Nest Cam IQ] primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan. Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary. It is important to note that while the weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requires a local attack vector (i.e. an attacker-controlled file) and the vulnerable commands are never directly run by the camera."

In their testing, Cisco Talos confirmed the Google Nest Cam IQ version affected to be version 4620002. Included in the disclosure is an update for affected customers that advises affected customers to ensure their Google Nest device has a reliable internet connection in order to promptly receive security patches and software updates.


Past smart home cybersecurity news roundup editions:

  • June 2019— Covers the Linksys Smart WiFi router vulnerability and the Android pre-installed backdoor.
  • July 2019— Covers website drive-by attacks on home routers.

Like this blog?

Subscribe to our newsletter.