Zebeth Media Solutions

Internet of Things

A bug in Abode’s home security system could let hackers remotely switch off cameras • ZebethMedia

A security vulnerability in Abode’s all-in-one home security system could allow malicious actors to remotely switch off customers’ security cameras. Abode’s Iota All-In-One Security Kit is a DIY home security system that includes a main security camera, motion sensors that can be attached to windows and doors, and a hub that can alert users of unwanted movement in their homes. It also integrates with third-party smart hubs like Google Home, Amazon Alexa and Apple HomeKit. Researchers at Cisco’s Talos cybersecurity unit this week disclosed several vulnerabilities in Abode’s security system, including a critical-rated authentication bypass flaw that could allow anyone to remotely trigger several sensitive device functions without needing a password by bypassing the authentication mechanism of the devices. The flaw, tracked as CVE-2022-27805 and given a vulnerability severity rating of 9.8 out of 10, sits in the UDP service — a communications protocol used to establish low-latency connections between applications on the internet — responsible for handling remote configuration changes. As explained by Matt Wiseman, a senior security researcher at Cisco Talos, a lack of authorization checks means an attacker can remotely execute commands through Abode’s mobile and web applications, such as rebooting the device, changing the admin password and completely disarming the security system. Wiseman told ZebethMedia that, in general, the affected device would be deployed in a local network and wouldn’t be directly accessible over the internet. “The more likely attack is from someone on the local network or if someone has access to the device through Abode’s network — for example, if they have the username and password for the mobile application.” “That being said, it could be deployed in a situation where it’s directly accessible over the internet or where someone specifically routes traffic to certain services,” added Wiseman. Talos on Thursday disclosed several other vulnerabilities in Abode’s security system. This includes several 10-rated vulnerabilities that could be exploited by sending a series of malicious payloads to execute arbitrary system commands with the highest privileges and a second authentication bypass flaw that could allow an attacker to access several sensitive functions on the device, including triggering a factory reset, simply by setting a particular HTTP header to a hard-coded value. Cisco initially disclosed the vulnerability to Abode in July and publicly disclosed the flaws this week after patches were made available. Users are advised to update their Iota All-In-One Security Kit to the latest version as soon as possible. In a statement given to ZebethMedia, Chris Carney, Abode’s founder and CEO said: “As a security-first company, we promptly worked to fix, address and patch their findings. This work has already been done, completed and pushed as an update to customers. Additionally, there have been zero reports from Abode customers related to these findings.” Carney confirmed Abode worked with Talos to resolve the security issues. News of flaws in Abode’s internet-connected home security system comes after the U.S. government this week shared more details about its plans to launch a cybersecurity labeling program for consumer Internet of Things devices to better protect Americans from “significant national security risks.” The initiative will launch next year for the “highest-risk” devices — including home security cameras.

US to launch ‘labeling’ rating program for internet-connected devices in 2023 • ZebethMedia

The Biden administration said it will launch a cybersecurity labeling program for consumer Internet of Things devices starting in 2023 in an effort to protect Americans from “significant national security risks.” It’s no secret that IoT devices generally have weak security postures. Weak default passwords have allowed botnet operators to hijack insecure routers to pummel victims with floods of internet traffic, knocking entire websites and networks offline. Other malicious hackers target IoT devices as a way to get a foot into a victim’s network, allowing them to launch attacks or plant malware from the inside. As American consumers continue to fill their homes with more of these potentially insecure devices, from routers and smart speakers to internet-connected door locks and security cameras, the U.S. government wants to help educate them about the security risks. Inspired by Energy Star, a labeling program operated by Environmental Protection Agency and the Department of Energy to promote energy efficiency, the White House is planning to roll out a similar IoT labeling program to the “highest-risk” devices starting next year, a senior Biden administration official said on Wednesday following a National Security Council meeting with consumer product associations and device manufacturers. Attendees at the meeting included White House cyber official Anne Neuberger, FCC chairwoman Jessica Rosenworcel, National Cyber Director Chris Inglis and Sen. Angus King, alongside leaders from Google, Amazon, Samsung, Sony and others. The initiative, described by White House officials as “Energy Star for cyber,” will help Americans to recognize whether devices meet a set of basic cybersecurity standards devised by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC). Though specifics of the program have not yet been confirmed, the administration said it will “keep things simple.” The labels, which will be “globally recognized” and debut on devices such as routers and home cameras, will take the form of a “barcode” that users can scan using their smartphone rather than a static paper label, the administration official said. The scanned barcode will link to information based on standards, such as software updating policies, data encryption and vulnerability remediation. The announcement comes after the White House last year ordered NIST and the FTC to explore two labeling pilot programs on cybersecurity capabilities for IoT devices. It also comes after the U.K. government last year introduced an IoT security bill in Parliament, requiring device manufacturers, importers, and distributors to meet certain cybersecurity standards.

Subscribe to Zebeth Media Solutions

You may contact us by filling in this form any time you need professional support or have any questions. You can also fill in the form to leave your comments or feedback.

We respect your privacy.
business and solar energy