A new hacking campaign is underway that is targeting Chromecast adapters, Smart TVs, and Google Home in order to play a YouTube video promoting PewDiePie’s YouTube channel.
Since the battle to have the most subscribers began between the YouTube channels of PewDiePie and T-Series, a hacker who goes by the name TheHackerGiraffe has been performing creative attacks that promote PewDiePie’s channel. First they sent print jobs promoting PewDiePie to Internet-connected printers. Now they are targeting Internet-connected devices that support Chromecast and forcing them to play a YouTube video.
A vulnerability in the Guardzilla All-In-One Video Security System, an IoT-enabled home video surveillance system, lets all users view one another’s saved surveillance footage due to the design and implementation of Amazon S3 credentials inside the camera’s firmware.
Security researchers found the bug (CVE-2018-5560) during an event held by 0DayAllDay and reported it to Rapid7 for coordinated disclosure. Rapid7 published the flaw 60 days after it first attempted to contact the vendor. Multiple coordination efforts received no response. This vulnerability is an issue of CWE-798: Use of Hard-coded Credentials, 0DayAllDay researchers report.
Read more about the unpatched IoT vulnerability on DarkReading.
Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, the BBC show Click has revealed. Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone.
Vulnerable tubs are designed to let their owners control them with an app. But third-party wi-fi databases mean hackers can home in on specific tubs by using their GPS location data. Balboa Water Group (BWG), which runs the affected system, said the problem would be fixed by the end of February. Pen Test Partners – the UK security company that carried out the research – warned that hot tubs were not the only household items at risk.
Read more about this new example of poor IoT security on BBC.
Schneider Electric is warning about a critical vulnerability in its EVLink Parking devices – a line of electric vehicle charging stations. The energy management and automation giant said the vulnerability is tied to a hard-coded credential bug that exists within the device that could enable attackers to gain access to the system.
Affected are EVLink Parking floor-standing units (v3.2.0-12_v1 and earlier). The vulnerability (CVE-2018-7800) is one of three fixes issued by Schneider last week (PDF) impacting the electric charging stations. The company also issued warnings and fixes for a code injection vulnerability (CVE-2018-7801) and SQL injection bug (CVE-2018-7802).
Researchers playing with Twinkly IoT lights found security weaknesses that allowed them to display custom lighting effects and to remotely turn off their Christmas brilliance. They estimate that about 20,000 devices are reachable over the internet.
The LEDs in Twinkly lights can be controlled individually. Exploiting inherent security weaknesses related to authentication and the communication of commands, the researchers were able to use the curtain of lights to play Snake, the game made so popular by Nokia phones in the late 1990s.
Read more about the research, which provides a playful yet significant example of the problems with IoT security, on BleepingComputer.
A security researcher has discovered that nearly 19,500 Orange Livebox ADSL modems are leaking WiFi credentials. Troy Mursch, co-founder of Bad Packets LLC, says his company’s honeypots have detected at least one threat actor scanning heavily for Orange modems, starting on Friday, December 21.
The attacker is exploiting a vulnerability affecting Orange LiveBox devices (CVE-2018-20377) that was first described in 2012. The vulnerability allows a remote attacker to obtain the WiFi password and network ID (SSID) for the modem’s internal WiFi network just by accessing the modem’s get_getnetworkconf.cgi.
Read more about the Orange modems leaking credentials on ZDNet.
Given that creating proof-of-concept (PoC) cyberattacks for the Internet of Things (IoT) is essentially like shooting fish in a barrel these days, perhaps it’s not exactly surprising that a new niche category has proven to present a fresh attack surface: electric vehicle (EV) charging stations. The danger is physical in this case: Research demonstrates that a savvy attacker could hack into the station and prevent a car from charging – or, in a much worse scenario, could even start a fire.
EVs are ever-more available and popular – but a lack of freely available charging infrastructure continues to hamstring the market. To address this, home EV chargers have started to proliferate, which allows consumers to “refuel” their vehicle from their own garage.
Read more about how EV charging stations can be hacked on Threatpost.
A new report commissioned by the IoT Security Foundation (IoTSF) paints a scandalous picture of how many of the most popular consumer Internet of Things (IoT) brands are failing to protect their customers from being spied upon, having their data stolen or unwittingly helping criminal endeavors to spread malware or take down online services.
The report found that nine out of ten (90.3%) of the global consumer IoT brands researchers looked at simply do not allow security researchers to properly report the vulnerabilities that they find.
Read more about the shocking findings of the report on Forbes.
An IRC bot built using Pearl is targeting Internet of Things (IoT) devices and Linux servers, but can also affect Windows systems and Android devices, Trend Micro warns. Dubbed Shellbot, the malware is being distributed by a threat group called Outlaw, which recently compromised FTP servers of a Japanese art institution and a Bangladeshi government site. The hackers linked compromised servers to a high availability cluster to host an IRC bouncer and control the botnet.
The campaign Trend Micro’s security researchers investigated leveraged previously brute-forced or compromised hosts for distribution purposes. The bot was observed targeting Ubuntu and Android devices.
Chalubo is a new botnet which is targeting poorly-secured Internet of Things (IoT) devices and servers for the purpose of distributed denial-of-service (DDoS) attacks. Researchers from cybersecurity firm Sophos said that the botnet is becoming “increasingly prolific” and is ramping up efforts to target Internet-facing SSH servers on Linux-based systems alongside IoT products.
The main Chalubo bot is not only adopting obfuscation techniques more commonly found in Windows-based malware but is also using code from Xor.DDoS and the infamous Mirai botnet.
Read more about the rise of the Chalubo botnet on ZDNet.