Today the DHS ICS-CERT published a control system security advisory for a product from Lynxspring. They also established a new web page and published two documents related to cybersecurity for internet-of-thing (IoT) devices.
This advisory describes multiple vulnerabilities in the Lynxspring BAS Bridge application. The vulnerabilities were reported by Maxim Rupp. Lynxspring reports that the BAS Bridge has been discontinued and recommends that owners upgrade to the Onyxx Bridge product.
The reported vulnerabilities are:
• Permissions, privileges and access controls - CVE-2016-8357;
• Missing authentication for critical function - CVE-2016-8361;
• Insufficiently protected credentials - CVE-2016-8378; and
• Cross-site request forgery - CVE-2016-8369.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerabilities to change permissions and access controls and gain access to the system.
The new IOT web page provides links to two new IoT security publications:
• IOT Fact Sheet; and
The IoT security discussion is based upon six principles:
• Incorporate Security at the Design Phase;
• Advance Security Updates and Vulnerability Management;
• Build on Proven Security Practices;
• Prioritize Security Measures According to Potential Impact;
• Promote Transparency across the IoT; and
• Connect Carefully and Deliberately
The Fact Sheet briefly describes these principles and the Strategy document fleshes out the discussion. Nothing really new in the discussion, but it is all brought together into a single document. The Strategy is written at a slightly more technical level than most recent ICS-CERT documents, directed more at CIO’s and security managers than CEO’s. It also provides a fairly diverse set of links in the Guidance and Additional Resources Appendix (I was especially pleased to see links to two documents from I Am The Cavalry (Five Star Automotive Cyber Safety Framework and Hippocratic Oath for Connected Medical Devices).
This discussion addresses the technical issues, but only briefly touches on the underlying problem of the wide diversity of IoT devices, vendors and users. Trying to get all of the parties to understand the state of the problem and the necessity of taking care of the problem cannot be overlooked in any discussion of IoT security. One area of that problem that receives very little attention in these documents is how to deal with the currently installed base (and devices already in the supply chain) of IoT devices that meet none of the principles discussed in the document.
To be fair to ICS-CERT these problems are more political and sociological than technical. It would have been nice, however, for ICS-CERT to at least identified these problems in these documents.