China-based Spiral group is believed to be behind year-long attack, which exploited a flaw in SolarWinds Orion technology to drop a Web shell.

Members of an advanced persistent threat (APT) group, masquerading as teleworking employees with legitimate credentials, accessed a US organization’s network and planted a backdoor called Supernova on its SolarWinds Orion server for conducting reconnaissance, domain mapping, and data theft.

The attackers had access to the network for nearly one year, from March 2020 to February 2021, before they were discovered and blocked, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said Thursday in a report summarizing the findings of its investigation into the incident.

The report is the latest involving SolarWinds and its Orion network management server technology. However, the Supernova tool and the APT group behind it are separate from the group that used legitimate Orion software updates to distribute malware dubbed Sunburst to 18,000 organizations around the world. Last week the US government formally attributed that widely reported attack — described by many as one of the most sophisticated ever — to Russia’s Foreign Intelligence Service, SVR.

CISA’s malware analysis report, which includes indicators of compromise and mitigation recommendations, did not attribute the Supernova attack to any specific group or country. However, others such as Secureworks that have investigated similar intrusions lately have ascribed Supernova and its operators to Spiral, a believed China-based threat group. Only a small handful of organizations are known to have been infected with Supernova, so far at least.

In its report, CISA describes the incident as likely beginning last March when the attackers connected to the unnamed US entity’s network via a Pulse Secure virtual private network (VPN) appliance. CISA’s investigation showed the attackers used three residential IP addresses to access the VPN appliance. They authenticated to it using valid user accounts, none of which were protected by multifactor authentication. CISA said it has not been able to determine how the attackers obtained the credentials. The VPN access allowed the attackers to masquerade as legitimate remote employees of the organization.

Once the attackers gained initial access to the victim network, they moved laterally on it to the SolarWinds Orion server and installed Supernova, a .Net Web shell, on it. As was the case with the handful of other breaches involving Supernova, the attackers appear to have exploited an authentication bypass flaw (CVE-2020-10148) in SolarWinds Orion’s API to execute a PowerShell script for running the Web shell.

“CISA believes the threat actor leveraged CVE-2020-10148 to bypass the authentication to the SolarWinds appliance and then used SolarWinds Orion API to run commands with the same privileges the SolarWinds appliance was running (in this case SYSTEM),” CISA explained.

Unlike the Sunburst backdoor associated with the Russia campaign, the attackers did not embed Supernova into the Orion technology. Instead, they installed the malware on servers running Orion by exploiting CVE-2020-10148. Once installed, the attackers used the Web shell to dump credentials from the SolarWinds server. Weeks later the adversary again connected via the VPN appliance and tried using the stolen credentials to access an additional workstation. On another occasion, the threat actor used Windows Management Instrumentation and other legitimate utilities to gather information about running process to collect, archive, and exfiltrate data.

Consistent With Other Attacks
Don Smith, senior director with Secureworks’ counter threat unit, says the timing, tools, tactics, and procedures that CISA described this week are consistent with the company’s own findings from its investigation of two intrusions at a customer location.

The report corroborates “our assessment that the two intrusions we responded to at the same organization were both perpetrated by the same threat actor, [(Spiral aka Bronze Spiral],” Smith says.

Those TTPs included initial access through exploitation of vulnerable Internet-facing systems, he says. It also includes “deployment of the Supernova Web shell, credential theft, ongoing access through VPN services using legitimate credentials, the deployment of other tools renamed to disguise their function, and the use of compromised infrastructure for command and control,” Smith says.

The Supernova campaign was highly targeted and appears to have impacted only a very small number of organizations. However, it does serve as an example of how adversaries are constantly looking to exploit vulnerabilities they can exploit for initial access. Once established on a network, such threats can be hard to eliminate, Smith notes.

“We should also remember that it does not take long for other, more opportunistic threats like ransomware operators to seize on exploits once they become public and look to use them for their own gain, at which point any organization is a potential target,” he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

The company plans to use Velociraptor’s technology and insights to build out its own incident response capabilities.

Security firm Rapid7 today confirmed its acquisition of Velociraptor, an open source technology and community focused on endpoint monitoring, digital forensics, and incident response.

Velociraptor was built to help digital forensics and incident response (DFIR) professionals collect endpoint incident data, search for malicious activity, and analyze evidence if an attack occurs.

The platform was developed a few years ago by infosec specialist Mike Cohen, who previously worked on Google Rapid Response and Rekall, a memory analysis and forensic framework, along with community contributors.

This community approach lets DFIR professionals using Velociraptor share insight in a single place where it can be accessible to more people. Custom detections and analysis capabilities can be written in queries, which can then be shared so members of the community can hunt for new threats.

Rapid7 plans to continue expanding the Velociraptor community. While there are no plans to make it a commercial product, the company plans to integrate Velociraptor technology into its Rapid7 Insight platform – it has already started by embedding Velociraptor’s endpoint data collection capabilities.

Read the full Rapid7 release and blog post for more information.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

One goal of the group is to take down the criminal ecosystem that enables ransomware, officials say.

The Justice Department is forming a task force of FBI agents, prosecutors, and national security representatives to stop the spread of ransomware attacks.

This group will increase training and dedicate more resources to the ever-growing problem of ransomware, according to the Wall Street Journal, which first reported on the task force. Some reports state as many as one in four cyberattacks today involve ransomware, which affects thousands of businesses each year.

Citing an internal memo, the report explains this task force wants to improve intelligence sharing across the department and work to identify “links between criminal actors and nation-states.”

The memo also notes that one of its goals is to develop a strategy that targets the entire criminal ecosystem around ransomware, including stopping ongoing attacks and disrupting certain services that enable ransomware, like Dark Web forums that advertise ransomware for sale.

The full Wall Street Journal report can be found here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Threat actors like attacking the technology because they provide a convenient entry point to enterprise networks.

Attacks on virtual private networks, like those this week targeting a trio of known vulnerabilities in Pulse Secure appliances, have intensified in recent months along with the increase in remote and hybrid work environments since the outbreak of COVID-19.

The trend requires organizations to patch VPN and other externally facing devices with the highest priority, says a new report from Digital Shadows.

The report, based on an analysis of vulnerability activity in first quarter of 2021, highlights other threats as well, including increased targeting of remote code execution (RCE) vulnerabilities such as one affecting Oracle WebLogic (CVE-2020-14882) and widespread attacks targeting the ProxyLogon flaws in Microsoft Exchange Server.

“[VPNs] continue to be targeted by a plethora of threat groups, which will almost certainly continue for the remainder of 2021,” says Chris Morgan, senior cyber-threat intelligence analyst at Digital Shadows. “VPN devices, in addition to other remote access software, are often prioritized as a useful entry point that can provide threat groups with a stable foothold onto target networks.”

The threat intelligence firm’s analysis of vulnerability activity in the first quarter of this year shows cyber adversaries are actively targeting VPN vulnerabilities, more so than most other attack avenues, to break into enterprise networks. VPN accesses were among the top three access types listed for sale on cybercriminal forums last quarter, Digital Shadows says.

According to the firm, attackers targeted vulnerabilities in a range of VPN appliances, including one in the Fortinet FortiGate VPN (CVE-2018-13379) and an older, previously patched flaw in Pulse Connect Secure VPN (CVE-2019-11510). Both the Fortinet and Pulse VPN appliances were the subject of a joint advisory last week from the National Security Agency (NSA), FBI, and the Cyber Security & Infrastructure Security Agency (CISA). The advisory warned US organizations of Russia’s Foreign Intelligence Services (SVR) — the actor behind the SolarWinds attack — actively targeting the VPN flaws and flaws in three other products.

“Easily identifiable public-facing infrastructure will always garner significant attention from advanced actors,” Morgan says, pointing to the attacks that targeted Pulse Secure VPNs this week. The attacks — by multiple threat groups, including one believed to have links to the Chinese government — have affected several organizations within the US defense industrial base and other sectors. Researchers are currently tracking as many as 12 separate malware families targeting vulnerabilities in Pulse Secure VPNs. Patches have been available for some time for all three of the vulnerabilities in Pulse Secure VPNs that are being attacked.

Thousands of Attacks
Meanwhile, other significant threat activity that Digital Shadows observed last quarter included heavy targeting of RCE flaws and a barrage of attacks aimed at ProxyLogon, a set of four critical vulnerabilities in Exchange Server, which Microsoft disclosed in March.

“Tens of thousands of companies worldwide were impacted by exploiting and chaining of the four zero-day vulnerabilities,” Morgan says. “Our observation of this particular set of bugs includes a diverse set of threat groups, including both nation-state and cybercriminal actors.”

The sheer scope of the attack activity highlighted both the ease with which the now-patched vulnerabilities could be exploited and the multiple potential courses of action available to an attacker after successful exploitation, he says.

A major concern related to the attacks was the strategy by one hacking group to deploy malicious Web shells on compromised Exchange Server systems so they could maintain a persistent presence on them. Concerns over the Web shells on US systems were so high that a court authorized the FBI to remove the shells from systems on which they have been deployed, including those belonging to private companies.

“While active exploitation of the bugs will likely subside in the aftermath of companies updating their servers, there is a distinct possibility that advanced groups could have created other avenues of approach and entry points onto targeted networks,” Morgan warns. Last week, CISA updated its original guidance around the flaws, which suggests that Exchange Servers are still being compromised via these bugs even though a vast majority of vulnerable systems have been patched, he says.

Digital Shadows’ first-quarter threat analysis shows that RCE flaws were the most commonly exploited flaws, just as they were in the fourth quarter of 2020. Twenty-three percent of attacks involved RCE exploits in the first quarter. The most likely reason for attackers targeting this class of vulnerabilities, according to Digital Shadows, is that they enable a wide range of malicious activities.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

China-linked attackers have used vulnerabilities in the Pulse Secure VPN appliance to attack US Defense Industrial Base networks.

Nation-state attackers are exploiting high-severity vulnerabilities in the Pulse Secure VPN to breach networks within the US defense sector and organizations around the world, researchers report.

IT software firm Ivanti, which acquired Pulse Secure late last year, today confirmed attackers have targeted a “limited number of customers” using Pulse Connect Secure (PCS) appliances. It has been working with Mandiant, the Cybersecurity and Infrastructure Security Agency (CISA), and others to respond to the exploits, which target three known vulnerabilities and a zero-day.

The three known flaws include CVE-2020-8243CVE-2020-8260, and CVE-2019-11510, which CISA recently warned is among several CVEs under attack by the Russian Foreign Intelligence Service (SVR) in its efforts to target US and allied networks, including national security and government systems. All of these vulnerabilities were patched in 2019 and 2020, Ivanti says.

CVE-2021-22893, a new issue discovered this month, is an authentication bypass vulnerability that could allow an unauthenticated attacker to perform arbitrary file execution on the Pulse Connect Secure gateway. Ivanti has provided mitigations for the critical flaw and developed a tool for businesses to confirm if they are affected. A software update will be available in May.

The company did not confirm which group is behind the exploits; however, a Mandiant report also released this morning provides more details on the attacks targeting Pulse Secure CVEs and points to connections between this attack activity and a group with Chinese government ties.

Researchers are currently tracking 12 malware families associated with the exploitation of Pulse Secure VPNs, write Mandiant’s Dan Perez, Sarah Jones, Greg Wood, and Stephen Eckels in their report. While each of these families is related to bypassing authentication and gaining backdoor access to the VPNs, they aren’t necessarily related and have been seen in separate attacks.

It’s likely that multiple attack groups are exploiting these vulnerabilities; however, the focus of this research is on UNC2630 and its attacks against US Defense Industrial Base (DIB) networks.

Mandiant earlier this year had been investigating attacks against defense, government, and financial organizations around the world. Each of these attacks could be traced back to DHCP IP address ranges belonging to Pulse Secure VPNs, but in many cases researchers couldn’t define how attackers gained admin access. With Ivanti’s analysis, they learned some of these intrusions stemmed from the patched Pulse Secure flaws; others came from CVE-2021-22893.

UNC2630 was seen stealing credentials from various Pulse Secure login flows, which let them use legitimate account credentials to move into target environments. To remain persistent, the attackers used modified Pulse Secure binaries and scripts on the VPN.

Once they achieved persistence, attackers were able to conduct a range of activities. They Trojanized shared objects to log credentials and bypass authentication flows, including multifactor authentication requirements. They injected Web shells into legitimate Pulse Secure administrative Web pages accessible to the Internet, maintained persistence across VPN general upgrades performed by admins, and unpatched modified files and deleted utilities and scripts to evade detection, among other actions, the researchers explain in their findings.

“We are in the early stages of gathering evidence and making attribution assessments and there are a number of gaps in our understanding of UNC2630, UNC2717, and these 12 code families,” they write.

UNC2630’s infrastructure, tools, and behavior on the network were new to the Mandiant team, which hadn’t seen them in any other campaigns. But while these factors were unique to this group, analysts found “strong similarities” to other intrusions going back to 2014 and 2015, which were conducted by Chinese espionage group APT5. They also have limited evidence indicating UNC2630 may operate on behalf of the Chinese government.

While Mandiant can’t definitively link UNC2630 to APT5, it notes other researchers have tied this particular activity to other attacks that Mandiant has tracked as Chinese espionage activity. This third-party assessment is consistent with its understanding of APT5, an actor it says has shown interest in compromising networking devices and the software on which they run.

For organizations using Pulse Secure Connect, Mandiant advises assessing the impact of the Pulse Secure mitigations and applying if possible. Ivanti recommends resetting passwords and reviewing configurations to make sure no service accounts can be used to authenticate to the vulnerability.

CISA has also issued an alert warning of the exploitation of these vulnerabilities.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

Lessons learned from the Unified Coordination Groups will be used to inform future response efforts, a government official says.

The Biden administration has decided to stand down two emergency response groups recently established to drive a coordinated government response to the SolarWinds attack and exploits targeting critical Microsoft Exchange Server vulnerabilities.

Lessons learned from the two so-called Unified Coordination Groups (UCGs) will be used to help improve future government responses to major cyber incidents, said Anne Neuberger, White House deputy national security advisor for cyber and emerging technology, on Monday.

“Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures,” Neuberger said in a statement.

The Trump White House established the first UGC in early January following news of the SolarWinds breach. The attack resulted in malware being distributed to some 18,000 organizations around the world including government agencies, private companies, and technology firms. The task force, comprised of security teams from the FBI, the DHS’ Cybersecurity & Infrastructure Security Agency (CISA), and the ODNI, was set up to drive a coordinated investigation and response for the attack, which involved federal government networks.

The Biden administration established a similar UGC in March, this time in response to news about attacks targeting four newly disclosed zero-day vulnerabilities in the widely used Microsoft Exchange Server. Unlike the first task force, this one also encouraged participation from private sector organizations.

Neuberger pointed to several lessons learned from the two UGCs in announcing the decision to wind them down. For example, by involving industry players and multiple legal authorities, the earlier UGC was able to accurately scope the SolarWinds attack and determine that fewer than 100 organizations were actually targeted in secondary attacks from a worst-case scenario of 16,800 organizations. “This enabled focused victim engagement and improved understanding of what the perpetrators targeted from the larger set of exposed entities,” Neuberger said.

Similarly, active partnerships with private companies resulted in the expedited availability of a one-click tool from Microsoft for simplifying and accelerating patching and cleanup efforts at organizations affected in the Exchange Server attacks. “CISA created and utilized a methodology to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident,” Neuberger noted.

Many security experts have described the attack on SolarWinds as one of the worst in recent memory. The attack, which the US government last week formally attributed to Russia’s Foreign Intelligence Service (SVR), has drawn widespread attention for the sophisticated malware used and extensive operational security that the attackers maintained throughout their campaign.

More than 18,000 organizations received malware hidden in legitimate updates of SolarWinds’ Orion network management software. A handful of them, including fewer than 10 US federal agencies and companies such as FireEye and Mimecast, were later subjected to further exploits and data theft. FireEye had a collection of its red-team tools stolen, and Mimecast said some of its source code was taken in the attack.

In identifying SVR as the mastermind behind the SolarWinds campaign, the US Treasury Department also announced sanctions against multiple Russian IT security firms for helping the intelligence service in its campaign.

The more recent attacks on Microsoft Exchange Server also evoked substantial concern because of how widely used the technology is within US government and private networks. A cyber espionage group called Hafnium, which Microsoft says is a state-sponsored group operating out of China, was believed primarily responsible for many early attacks targeting the four bugs in Exchange Server. However, by March, multiple attackers were believed to be exploiting the flaws to carry out a range of malicious activities including stealing copies of Microsoft AD databases, dumping credentials, moving laterally and writing web shells that future attackers can exploit — the most troubling finding, researchers say.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Recommended Reading:

More Insights

Researchers share a list of passwords that Purple Fox attackers commonly brute force when targeting the SMB protocol.

Weak passwords used over the Windows Server Message Block (SMB) protocol are often part of attacks that result in the spread of Purple Fox malware, Specops researchers report.

Purple Fox, first detected in 2018, is a malware campaign that targets Windows machines. Until recently, its operators used phishing emails and various privilege escalation exploits to target Internet Explorer and Windows devices. However, in late 2020 and early 2021, a new infection vector began to infect Internet-facing Windows devices through SMB password brute force.

While Purple Fox’s functionality didn’t change post-exploitation, its distribution method caught the eye of Guardicore researchers. The team observing Purple Fox describes a “hodge-podge” of vulnerable and compromised machines hosting the initial payload, infected devices serving as nodes of worm campaigns, and server infrastructure believed to be related to other malware campaigns.

There are multiple ways Purple Fox can start spreading. In some attacks, the worm payload is executed after a target is compromised through an exposed service, such as an SMB; these services are targeted with weak passwords and hashes. In other attacks, the worm is sent through a phishing email that exploits a browser vulnerability.

Researchers with Specops also say these attacks created a global honeypot system to collect information on what these SMB attacks look like and the kind of passwords attackers are using. The team analyzed more than 250,000 attacks on the SMB protocol over a period of 30 days. In that time, “password” was seen used in attacks more than 640 times, they report.

“Password” was only the third most-common password used in these attacks. Most popular was “123,” followed by “Aa123456.” They also frequently tried “1qaz2wsx,” “abc123,” “password1,” “welcome,” “888888,” and “112233.”

Read the full list here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Endpoint security has changed. Can your security plan keep up?

The need to support a mostly remote workforce over the past year, and continued expectation of remote work for the foreseeable future, means endpoint security must be a priority for security teams.

So far, it is an uphill battle, according to the Dark Reading 2021 State of Endpoint Security survey. More than half (57%) of security professionals believe changes to the endpoint environment wrought by the coronavirus pandemic have significantly increased the risk of a major data breach.

The concept of “endpoint security” has evolved significantly for endpoint security managers. How is your enterprise approaching the endpoint security problem? In Battle for the Endpoint, another new Dark Reading report, experts offer advice and recommendations on how to build an endpoint security strategy that works across all devices an end user might employ.

In this report, we talk to practitioners including Tim Rohrbaugh, chief information security officer at JetBlue Airways. Security remained a high priority at JetBlue following the start of the pandemic but securing newly homebound workers meant a rethink on endpoint security.

“Not only are the controls that you put in place [in the office] no longer protecting their systems — because the folks are remote — but now you may not be getting any type of intelligence or visibility into potential misuse,” Rohrbaugh says. The bottom line? “If you are not running an EDR and are not able to respond to incidents remotely, then, well, good luck.”

Download and read the full report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Fedir Hladyr pleaded guilty in 2019 to conspiracy to commit wire fraud and conspiracy to commit computer hacking.

A high-level manager of cybercrime group FIN7, also known as the Carbanak Group and the Navigator Group, has been sentenced to ten years in prison, the Department of Justice reports.

FIN7 has operated since at least 2015 and had more than 70 people organized into business units and teams.. While its activity is global, in the United States, FIN7 has breached corporate computer networks in all 50 states and the District of Columbia. Attackers have stolen more than 20 million payment card records from at least 6,500 point-of-sale terminals at more than 3,600 businesses.

Ukrainian national Fedir Hladyr was a systems administrator for FIN7. He was arrested in Dresden, Germany in 2018 at the request of US law enforcement. In 2019 he pleaded guilty to conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.

To conduct its attacks, FIN7 wrote emails to appear legitimate to an organization’s employees and followed up with phone calls to further legitimize their activity. When an email attachment was opened, FIN used a modified version of the Carbanak malware, in addition to other tools, to steal customers’ payment card data. Much of this data has been sold on the Dark Web.

As systems administrator for FIN7, Hladyr played a core role in aggregating stolen data, supervising other criminals in the group, and maintaining the network of servers that FIN7 used to target and control victims’ machines. He also handled FIN7’s encrypted communication channels, officials report.

At today’s sentencing hearing, Chief US District Judge Ricardo Martinez said cybercriminals must be deterred by long sentences, noting that would-be attackers “must understand that, once caught, the punishment will be significant.”

Read the full Justice Department release for more details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Binary Check Ad Blocker Security News

A team of Internet of Things security researchers has discovered vulnerabilities in the way IoT device vendors manage access across multiple clouds and users, putting both individuals and vendors at risk.

IoT devices are increasingly managed through clouds operated by device vendors such as Philips Hue, LIFX, and Tuya, or by cloud providers such as Google and Amazon. These clouds mediate the users’ access to specific devices — for example, granting them permission to unlock a smart lock.

The researchers were especially interested in the emerging capability to delegate device access across multiple clouds and users. Some vendors let Google Home control devices under their clouds, so a person can manage multiple devices from different vendors via their Google Home. It’s a win for usability — normally, someone with devices from various vendors would install multiple apps to control them, which becomes a hassle as their IoT device collection grows.

“[The IoT] keeps evolving, and we keep observing new security issues, new security risks coming up, especially when a vendor tries to strike a balance between usability and security,” says Luyi Xing, assistant professor of computer science at Indiana University Bloomington and a member of the research team.

While being able to manage multiple devices from a single hub is convenient, access delegation across IoT clouds is distributed and unverified, researchers report. The problems emerge when one cloud unknowingly violates the security operations and assumptions of another cloud. When this happens, devices may not fully revoke access when someone instructs them to.

“Security always comes behind the functionality, so that’s why this is important,” adds Bin Yuan, post-doc at Huazhong University of Science and Technology and Indiana University Bloomington. “That’s why we did our research in this area, to better understand it and try to solve the security risks here.”

The problem lies in vendors’ protocols, Xing explains. Each vendor independently develops its own delegation protocol with implicit security assumptions, but the protocols from different vendors have to work together to establish the delegation chain between vendor and user.

“When these protocols work together, their security assumptions may conflict with each other, and one vendor may not fully understand the implications [or] the assumptions of another vendor’s operation in terms of security,” he says. One of the vulnerabilities they discovered let a user continue accessing a device after temporary permissions were removed. When someone attempted to revoke the permission, it turned out the user still had control over the device.

In the real world, this could happen with something as simple as a smart lock, Xing says. An Airbnb host may grant temporary access to a guest, but that guest could still have access to their home after the host thinks they’ve checked out.

An Industrywide Problem
This problem affects a broad range of IoT device vendors and clouds. Given this, the researchers sought to develop an approach to verify the protocols of different device manufacturers and determine whether a protocol might be vulnerable to an attack. They created a verification tool to model the operations and data flows of an IoT vendor and automatically discover flaws.

From there, they conducted a systematic study on cross-cloud IoT delegation, in which they investigated 10 mainstream IoT clouds, including Google Home, SmartThings, Philips Hue, LIFX, August, and others. They discovered five serious flaws that, if exploited, could give someone unauthorized access to IoT devices such as smart locks, switches, and safety sensors, they say.

“We can find the individual vulnerabilities for a specific protocol, for a specific vendor, but that doesn’t solve the problem,” Xing says of why they wanted to create a systematic approach. All of the flaws they discovered were reported to the respective vendors, which have deployed or scheduled fixes.

The researchers believe cross-vendor delegation is helpful to users; however, the protocols behind it must be designed with more caution. Protocols they saw in the wild had not undergone rigorous security analysis or verification, Xing says. The team hopes that protocols will eventually become more transparent, so vendors know one another’s security assumptions.

Xing and Yuan will join their fellow researchers, Yan Jia, research associate at Nankai University, and Dongfang Zhao, PhD student at Indiana University Bloomington, to present their research findings in a Black Hat Asia briefing: “How I Can Unlock Your Smart Door: Security Pitfalls in Cross-Vendor IoT Access Control,” on May 7.