Smart door locks, padlocks, thermostats, refrigerators, wheelchairs and even solar panel arrays were among the internet-of-things devices that fell to hackers during the IoT Village held at the DEF CON security conference in August.
A month after the conference ended, the results are in: 47 new vulnerabilities affecting 23 devices from 21 manufacturers were disclosed during the IoT security talks, workshops and onsite hacking contests.
The types of vulnerabilities found ranged from poor design decisions like the use of plaintext and hard-coded passwords to coding flaws like buffer overflows and command injection.
Door locks and padlocks from vendors like Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Lagute, Okidokeys, Danalock were found to be vulnerable to password sniffing and replay attacks, where a captured command can be replayed later to open the locks.
A wheelchair from an unknown vendor had a vulnerability that could be exploited to disable a safety feature and take control of the device. A thermostat from Trane used a weak plain text protocol potentially allowing attackers to cause excessive heating, furnace failures or frozen water pipes by manipulating thermostat functionality.
Apple has finally moved its iOS security update mechanism to HTTPS with today’s release of iOS 10.
Previously, updates were sent to devices over HTTP and attackers already present on a network could potentially intercept and manipulate updates.
“An issue existed in iOS updates, which did not properly secure user communications. This issue was addressed by using HTTPS for software updates,” Apple said in its advisory, adding that a man-in-the-middle attacker could block devices from receiving updates.
Microsoft patched 47 vulnerabilities as part of 14 security bulletins, seven critical, with its monthly Patch Tuesday updates today.
The company is warning users that if left unpatched, 10 of the issues can lead to remote execution.
The updates resolve issues in Microsoft Windows, Office, Office Service and Web Apps, Exchange, its Internet Explorer and Edge browsers and Adobe Flash Player.
Among the bugs fixed on Tuesday is a 10-year-old vulnerability, CVE-2016-0137, that existed in Detours, Microsoft Office’s hooking engine. The bug, disclosed over the summer and discussed in depth at Black Hat, affected a handful antivirus platforms that use code hooking. The vulnerability allowed hackers to bypass exploit mitigations present in Windows and those third party applications. Researchers at enSilo, who unearthed the bug, disclosed it to Microsoft nine months ago, prior to Black Hat. At the time the researchers warned that hundreds of thousands of users could be affected by the vulnerability.