A design flaw in the KeyWe smart lock (GKW-2000D), which is mostly used for remote-controlled entry to private residences, can be exploited by attackers to gain access to the dwellings, F-Secure researchers have found.
To add insult to injury, in this present incarnation the lock can’t receive firmware updates, meaning that the security hole can’t be easily plugged.
About KeyWe smart lock
KeyWe smart lock is developed by the Korean company KeyWe, which raised money for it on Kickstarter.
The lock can be opened via an application (Wi-Fi, Bluetooth), an armband (NFC), through a touchpad (numeric code), or mechanically (with a regular key).
It has additional options like generating one-time guest codes, unlocking the door based on proximity, etc.
About the vulnerability and the attack
F-Secure security consultants acquired the KeyWe Smart Lock by pledging on Kickstarter.
They analyzed its hardware and firmware, as well as the hardware and firmware of the accompanying KeyWe bridge (which is used to connect the lock to a wireless network) and the code of the associated Android app.
They discovered that, while the company did implement some security protections for the lock and app (not so much the bridge), a flaw in the in-house developed key exchange protocol can be exploited to, ultimately, get the secret key needed to unlock the lock.
“The hardware needed [to perform the attack] is a board able to sniff Bluetooth Low Energy traffic. It can be bought for ~10$ and used out-of-the-box,” Krzysztof Marciniak, cyber security consultant at F-Secure, told Help Net Security.
“In terms of software, this requires additional work from the attacker – in our case a Python script was developed, but pretty much any language can be used as long as it can interact with a Bluetooth controller. It should also be mentioned that the mobile application needs to be analyzed (one needs to retrieve the key generation algorithm) in order to execute this attack.”
The user doesn’t even have to lock/unlock the door with the application for the attacker to intercept the operator password – they just need to run/open the mobile application. Once the app is run, it connects to the lock to check its status, and the password can be intercepted.
The attacker (or just the intercepting device) must be within 10-15 meters from the victim for the traffic interception to work. The recording of the traffic can later be analyzed to extract the key value needed to generate the lock-opening key.
More technical information about their research and discovery can be found here and here, but since the lock can’t receive firmware updates, the researchers decided to not to share some crucial details.
Symptoms of a larger problem
The vendor has acknowledged the issue and is working on fixing it, the researchers noted, but since the lock has no firmware upgrade functionality, already deployed locks will remain vulnerable.
“The mobile application does use Bluetooth (Smart/Low Energy), so that option is not safe either. NFC could be used to counter this attack, but it is prone to other attacks (cloning the access key [armband], intercepting the traffic with proper equipment etc.),” Marciniak told us.
“The touchpad option, however, seems to be the right fallback here. That being said, the mobile application should still be paired with a mobile device – otherwise a malicious user can pair with it without any additional owner confirmation.”
Lock owners will need to replace the lock or live with the risk. The vendor told the researchers that new iterations of the app will contain a fix for this issue and, equally important, new locks will have the firmware upgrade functionality.
One cannot say that no attention has been given to security, the researchers noted, but rolling your own in-house cryptography is always a risky proposition, and so is doing no threat modeling before design and development.
“Security isn’t one size fits all. It needs to be tailored to account for the user, environment, threat model, and more. Doing this isn’t easy, but if IoT device vendors are going to ship products that can’t receive updates, it’s important to build these devices to be secure from the ground up,” Marciniak pointed out.
He recommends consumers to consider the security implications of internet-connectivity before replacing their offline devices with online versions, and advises device vendors to perform security assessments on their products as part of their design.
The 2020 Cybersecurity Salary Survey provides insight into the details related to cybersecurity compensation. Over 1,500 security professionals completed the survey. Today you can access the aggregated and analyzed 2020 Cybersecurity Salary Survey Results and gain insight to the main ranges and factors of current cybersecurity salaries.
Using the survey results, any individual can go to the section relevant for his or her role and learn how their salary benchmarks against the respective range and factors, and then utilize this knowledge in any decision making process.
- Geolocation matters. Security analysts in NAM get a significantly higher salary than their counterparts in the EMEA and APAC, with more than 80% earning between 71K and 110K, in contrast to less than 35% in EMEA and 21% in APAC.
- Degree doesn’t guarantee higher compensation. All analyzed positions feature a similar salary range distribution for both employees with or without a degree in computer science or a related engineering filed.
- Banking and finance lead with payment range and distribution for both management and individual contribution positions.
- Quality beats experience. Surprisingly, across all analyzed positions researchers found both individuals with little experience at the top of the payment curve and seasoned veterans at its bottom.
- Pivoting pays. Individuals that pivoted from an IT position to a cybersecurity position earn more than their peers that started out in cybersecurity.
- Bonuses are common practice. With the exception of security analysts, all other positions include periodic bonuses with annual 1%-10% as the leading pattern.
- Women are hard to find. There is a significant shortage of women in security positions. The highest percentage is in the 20-29 age group with 6% in overall positions.
- Women in management. Within the five analyzed positions, the highest percentage of women were found in the security director/manager position at 10%.
Read the survey results, get to know how your salary rates, and gain insights of your own.
Do you believe you’re not interesting or important enough to be targeted by a cybercriminal? Do you think your personal data doesn’t hold any value? Bart R. McDonough proves why those beliefs are wrong in his book Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals.
McDonough, CEO and Founder of Agio, is a cybersecurity expert, speaker and author with more than 20 years of experience in the field, and this is his debut book.
Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals
He starts by debunking the most common cybersecurity myths, like the one mentioned above. Whether you like it or not, you are important, and your data is important. Also, everything has a price.
McDonough explains all the possible risks and threats you could encounter in a connected world, who are the bad actors, what their goals are and, most importantly, their attack methods.
The author presents five golden rules – or, as he calls them, “Brilliance in the Basics” habits – you should be complying with to maintain a good cybersecurity hygiene: update your devices, enable two-factor authentication, use a password manager, install and update antivirus software, and back up your data.
The second half of the book gives you detailed and specific recommendations on how to protect your:
- Social media
- Website access and passwords
- Mobile devices
- Home Wi-Fi
- IoT devices
- Your information when traveling.
McDonough doesn’t use scare tactics that could possibly make you want to forego all technology and go live in the woods. On the contrary, he wants you to embrace it and understand that even if the online world poses so many threats, there’s a lot you can do to protect yourself.
Who is this book for?
You don’t need to be a cybersecurity professional to understand this book. Its language is simple and it offers many comprehensible everyday examples and detailed tips. It’s a book you should definitely have in your home library, also for future reference.
The author has a very clear message: don’t just sit back and hope bad actors will pass you over. Be proactive and take all the possible and necessary steps to secure your data and your devices.
The Cybersecurity and Infrastructure Security Agency (CISA) is teaming up with election officials and their private sector partners to develop and pilot an open source post-election auditing tool ahead of the 2020 elections.
The tool, known as Arlo, is being created by VotingWorks, a non-partisan, non-profit organization dedicated to building secure election technology.
Arlo is open source software provided free for state and local election officials and their private sector partners to use.
The tool supports numerous types of post-election audits across various types of voting systems including all major vendors.
Arlo provides an easy way to perform the calculations needed for the audit: determining how many ballots to audit, randomly selecting which ballots will be audited, comparing audited votes to tabulated votes, and knowing when the audit is complete.
The first version of Arlo is already supporting pilot post-election audits across the country, including several from this month’s elections.
Some partners of this pilot program include election officials in Pennsylvania, Michigan, Missouri, Virginia, Ohio, and Georgia. Additional partners will be announced in the coming weeks.
Improving post-election auditing
CISA’s investment is designed to support election officials and their private sector partners who are working to improve post-election auditing in the 2020 election and beyond.
“Heading into 2020, we’re exploring all possible ways that we can support state and local election officials while also ensuring that Americans across the country can confidently cast their votes,” said CISA Director Christopher Krebs.
“At a time when we know foreign actors are attempting to interfere and cast doubt on our democratic processes, it’s incredibly important elections are secure, resilient, and transparent. For years, we have promoted the value of auditability in election security, it was a natural extension to support this open source auditing tool for use by election officials and vendors, alike.”
“We’re very excited to partner with CISA to develop Arlo, a critical tool supporting the implementation of more efficient and effective post-election audits. Because Arlo is open-source, anyone can take it and use it and anyone can verify that it implements audits correctly,” said Ben Adida, Executive Director of VotingWorks.
Onapsis, the leading provider of business application protection have revealed new threat research into a recently discovered vulnerability on Oracle E-Business Suite – Oracle PAYDAY.
The attack scenarios exploit two vulnerabilities with CVSS scores of 9.9 out of 10 in Oracle EBS, Oracle’s ERP software installed at up to 21,000 companies. Onapsis discovered and reported the vulnerabilities to Oracle, which issued patches earlier this year. Onapsis estimates that 50% of Oracle EBS customers have not deployed the patches. The fact that Oracle runs mostly on Java, means that the attack would be relatively simple to carry out by anyone with knowledge of Java and Oracle EBS.
The Onapsis threat research details two attack scenarios:
- Malicious manipulation of the wire transfer payment process through unauthenticated access (which would bypass segregation of duties and access controls), though which an attacker can change approved EFTs in the EBS system to reroute invoice payments to an attacker’s bank account, leaving no trace.
- Creating and printing approved bank checks through the Oracle EBS check printing process and disabling and erasing audit logs to cover up the activity.
The severity of this vulnerability is evident from the significance of ERP systems such as Oracle to global business function. Indeed, 77% of global revenue will pass through an ERP system at some point, of which Oracle’s several thousand EBS customers are just a proportion. In 2017, Oracle themselves conducted a simulation, Oracle selected a realistic financial structure derived from a typical large enterprise based on more than 25 years’ experience with ERP deployments. This simulation found that it was possible to create 1,000,000 payments per hour, through 7,000,000 Imported Invoice Lines. Therefore, successful PayDay exploits may go unnoticed amongst so many transactions.
Commenting on this threat report. Mariano Nunez, CEO and Co-founder of Onapsis said:
“This threat research demonstrates something which has historically been chronically underreported in IT and cyber security: That business-critical applications, specifically ERP systems, used by the world’s largest and most relied upon organisations are vulnerable to attackers stealing potentially billions. The advice we would provide to any users of Oracle EBS in the wake of this disclosure would be to utilise diagnostic tools and services to help them to highlight the most vulnerable areas of business operations, and to then deploy the appropriate patches and compensating controls.”
All companies using Oracle should ensure that they are running the latest patch to ensure complete protection against any vulnerability.