5 min
Public Policy
Copyright Office Calls For New Cybersecurity Researcher Protections
On Jun. 22, the US Copyright Office released
[https://www.copyright.gov/policy/1201/section-1201-full-report.pdf] its
long-awaited study on Sec. 1201 of the Digital Millennium Copyright Act (DMCA),
and it has important implications for independent cybersecurity researchers.
Mostly the news is very positive. Rapid7 advocated extensively for researcher
protections to be built into this report, submitting two sets of detailed
comments—see here
[/2016/03/15/rapid7-bugcrowd-and-hackerone-file-pro-res
2 min
Public Policy
Legislation to Strengthen IoT Marketplace Transparency
Senator Ed Markey (D-MA) is poised to introduce legislation to develop a
voluntary cybersecurity standards program for the Internet of Things (IoT). The
legislation, called the Cyber Shield Act, would enable IoT products that comply
with the standards to display a label indicating a strong level of security to
consumers – like an Energy Star rating for IoT. Rapid7 supports this legislation
and believes greater transparency in the marketplace will enhance cybersecurity
and protect consumers.
The
4 min
Penetration Testing
IoT Security Testing Methodology
By
Deral Heiland IoT - IoT Research Lead Rapid7
Nathan Sevier - Senior Consultant Rapid7
Chris Littlebury - Threat Assessment Manage Rapid7
End-to-end ecosystem methodology
When examining IoT technology, the actionable testing focus and methodology is
often applied solely to the embedded device. This is short sighted and
incomplete. An effective assessment methodology should consider the entire IoT
solution or as we refer to it, the IoT Product Ecosystem. Every interactive
component that makes
4 min
Public Policy
Rapid7 urges NIST and NTIA to promote coordinated disclosure processes
Rapid7 has long been a champion of coordinated vulnerability disclosure and
handling processes as they play a critical role in both strengthening risk
management practices and protecting security researchers. We not only use
coordinated disclosure processes in our own vulnerability disclosure
[https://www.rapid7.com/security/disclosure/] and receiving activities, but also
advocate for broader adoption in industry and in government policies.
Building on this, we recently joined forces with other
6 min
Vulnerability Disclosure
R7-2016-28: Multiple Eview EV-07S GPS Tracker Vulnerabilities
Seven issues were identified with the Eview EV-07S GPS tracker, which can allow
an unauthenticated attacker to identify deployed devices, remotely reset
devices, learn GPS location data, and modify GPS data. Those issues are briefly
summarized on the table below.
These issues were discovered by Deral Heiland of Rapid7, Inc., and this advisory
was prepared in accordance with Rapid7's disclosure policy.
Vulnerability DescriptionR7 IDCVEExploit VectorUnauthenticated remote factory
resetR7-2016-28
6 min
IoT
12 Days of HaXmas: 2016 IoT Research Recap
Merry HaXmas to you! Each year we mark the 12 Days of HaXmas
[https://www.rapid7.com/blog/tag/haxmas/] with 12 blog posts on hacking-related
topics and roundups from the year. This year, we're highlighting some of the
“gifts” we want to give back to the community. And while these gifts may not
come wrapped with a bow, we hope you enjoy them.
As we close out the end of the year, I find it important to reflect on the IoT
vulnerability research conducted during 2016 and what we learned from it. Th
3 min
IoT
IoT Security vs Usability
Recently we all have found ourselves talking about the risk and impact of poorly
secured IoT technology and who is responsible. Fact is there is enough blame to
go around for everyone, but let's not go there. Let us start focusing on
solutions that can help secure IoT technology.
Usability has been an issue that has plagued us since the beginning of time. As
an example, just going back to my youth and seeing my parents VCR flashing 12:00
all the time. We laugh at that, because it showed us thei
4 min
IoT
On the Recent DSL Modem Vulnerabilities
by Tod Beardsley [https://twitter.com/todb] and Bob Rudis
[https://twitter.com/hrbrmstr]
What's Going On?
Early in November, a vulnerability was disclosed affecting Zyxel DSL modems,
which are rebranded and distributed to many DSL broadband customers across
Europe. Approximately 19 days later, this vulnerability was leveraged in
widespread attacks across the Internet, apparently connected with a new round of
Mirai botnet activity.
If you are a DSL broadband customer, you can check to see if yo
3 min
Project Sonar
The Internet of Gas Station Tank Gauges -- Final Take?
In early 2015, HD Moore performed one of the first publicly accessible research
related to Internet-connected gas station tank gauges, The Internet of Gas
Station Tank Gauges [/2015/01/22/the-internet-of-gas-station-tank-gauges].
Later that same year, I did a follow-up study that probed a little deeper in
The
Internet of Gas Station Tank Gauges — Take #2
[/2015/11/18/the-internet-of-gas-station-tank-gauges-take-2]. As part of that
study, we were attempting to see if the exposure of these devic
2 min
IoT
Research Lead (IoT)
It has been an amazing journey serving as the Research Lead for the Internet of
Things (IoT) at Rapid7 for past 10 months. I came into the role with more than a
decade of experience as a security penetration tester and nearly 15 years of
experience conducting security research across such areas as protocol based
attacks, embedded device exploitation, and web vulnerabilities, so taking on the
role, as Research Lead for IoT was the next obvious progression for me. Being
able to focus on IoT specif
2 min
IoT
[Free Tool] IoTSeeker: Find IoT Devices, Check for Default Passwords
So there's this Thing...
We need to talk about Things, you and I. Specifically those connected Things.
This isn't a weird breakup discussion regarding a relationship you didn't know
we had (I hear that's called stalking actually, and is an altogether different
type of problem). There may be Things on your network that are harbouring a
security issue, and that's not a good place to be either. We can help you track
them down (which does bear a slight resemblance to stalking, granted, but we're
se
4 min
IoT
Mirai FAQ: When IoT Attacks
Update: Following the attack on Dyn back in October, there is some speculation
over whether a similar Mirai-style attack could be leveraged to influence the
election. This feels like FUD to me; there doesn't seem to be a mechanism to
knock out one critical service to kick over enough state and county election
websites, Dyn-style, to make such an attack practical. It could potentially be
feasible if it turns out that a lot of city, county, and state websites are
sharing one unique upstream resour
4 min
Research
NCSAM: Independent Research and IoT
October is National Cyber Security Awareness month and Rapid7 is taking this
time to celebrate security research. This year, NCSAM coincides with new legal
protections for security research under the DMCA and the 30th anniversary of the
CFAA - a problematic law that hinders beneficial security research. Throughout
the month, we will be sharing content that enhances understanding of what
independent security research is, how it benefits the digital ecosystem, and the
challenges that researchers f
8 min
Vulnerability Disclosure
R7-2016-10: Multiple OSRAM SYLVANIA Osram Lightify Vulnerabilities (CVE-2016-5051 through 5059)
Nine issues affecting the Home or Pro versions of Osram LIGHTIFY were
discovered, with the practical exploitation effects ranging from the accidental
disclosure of sensitive network configuration information, to persistent
cross-site scripting (XSS) on the web management console, to operational command
execution on the devices themselves without authentication. The issues are
designated in the table below. At the time of this disclosure's publication, the
vendor has indicated that all but the la
7 min
IoT
Getting a Handle on the [Internet of] Things in the Enterprise
This blog post was written by Bob Rudis, Chief Security Data Scientist and Deral
Heiland, Research Lead.
Organizations have been participating in the “Internet of Things” (IoT) for
years, long before marketers put this new three-letter acronym together. HVAC
monitoring/control, badge access, video surveillance systems and more all have
had IP connectivity for ages. Today, more systems, processes and (for lack of a
more precise word) gizmos are being connected to enterprise networks that fit
int