From substandard router security to ransomware attacks on your camera, it was an eye-opening week at DEFCON earlier this month. Here are the top product security takeaways.
Study Finds “Terrible” Security Measures in 18 Leading Vendors - including Asus, Belkin, D-Link, Linksys, TP-Link and More (SecurityLedger)
Study analyzed more than 6,000 firmware images reaching back 15 years and found that even the most updated firmware doesn’t protect against overflow attacks.
Researchers Find 35 vulnerabilities in Office Printers Manufactured by HP, Ricoh, Xerox, Lexmark, Kyocera and Brother (threatpost)
Of the vulnerabilities, 22 are overflow attacks which can lead to remote code execution and the complete takeover of an entire enterprise network. Office printers were once again a hot topic, and researchers presented how to steal data from an enterprise by sending a fax to its office printer.
Smile, You’re Being Hacked: How Hackers Could Implant Malware in a Canon DSLR Camera to Hold Users’ Pictures for Ransom (threatpost)
The first attack scenario included an attacker that takes over a PC and leapfrogs an infection into a camera via a USB connection. The second involves placing a rogue Wi-Fi access point in a public setting to leverage a remote attack against the targeted camera. Using the CVE-2019-5995 bug, the researcher was able to run a silent and malicious firmware update.
Hackers Can Turn a Tesla Model S into a Surveillance Device (SecuritySales)
Using free code available on GitHub, security researcher Truman Kain was able to turn the car’s built-in cameras into a surveillance system that identifies, tracks, and stores faces and license plates.
Two Security Flaws in Xilinix SoC Boards Secure Boots Jeopardize Automotive, Aviation, and Industrial Components (ZDnet)
Researchers say the Encrypt Only secure boot mode in Xilinix’s Zynq UltraScale+ brand, which includes SoC, multi-processor system-on-chip (MPSoC), and radio frequency system-on-chip(RFSoC), does not encrypt boot image metadata, leaving this data vulnerable to malicious modifications. Read the full paper here.
Hackers Could Use Remote Ignition App to Steal Tens of Thousands of Vehicles (Wired)
Software engineer Jmaxxz showcased the vulnerabilities that could allow a hacker to use the “MyCar” app to pinpoint and steal cars.
Malware Can be Remotely Installed in Headphones to Turn them Into Acoustic Weapons and Track Users (Wired)
A cybersecurity researcher developed malware which can allow an attacker to physically destroy devices and cause bodily harm to users.