ICS-CERT Publishes Update and New Advisory

This afternoon the DHS ICS-CERT published an update for an advisory from earlier this month for products from SMA Solar Tech and a new advisory for a product from Harmon-Kardon.

SMA Update  

This update makes some important modifications to the Mitigation section of the Advisory. First ICS-CERT changes its characterization of what SMA Solar Tech told owners of this older system. Instead of suggesting that: “It recommends using port forwarding or a VPN to access these devices remotely”; ICS-CERT is now reporting that: “SMA expressly recommends deactivation [emphasis added] of port-forwarding or use of a VPN to access these devices remotely”.

Additionally, ICS-CERT has removed from the advisory its earlier recommendation that “users should remove and replace this system”. In its place they have placed the standard set of protective measures that ICS-CERT has been recommending for some time.

Since I do not have access to the SMA communications with its customers I cannot tell if these changes are due to changes made by SMA or whether it was an initial misreading of those recommendations by ICS-CERT.

NOTE: This advisory is no longer on the main ICS-CERT web page so the casual reviewer would not know that an update had been published. ICS-CERT did announce this update via TWITTER. All control system owner/operators are encouraged to follow @ICS-CERT.

Harmon-Kardon Advisory

This advisory is a follow-up to the DefCon related Alert published in July. It describes an unauthorized remote access vulnerability in the Harmon-Kardon Uconnect telematics infotainment system used in a number of FCA vehicles. The vulnerability was reported by Chris Valasek [then] of IOActive and Dr. Charlie Miller [then] of Twitter. FCA has  distributed a firmware patch as part of the vehicle recall process that mitigates this vulnerability and the two researchers have verified the efficacy of the fix.

ICS-CERT reports that the vulnerability is no longer remotely exploitable due to changes made in the Sprint cellular network. Thus, ICS-CERT reports that an exploit of this vulnerability is difficult because physical access to the system is required.