Link

How hard is it to hack the average DVR? Sadly, not hard at all

Ars Technica:

Johannes B. Ullrich, a researcher and chief technology officer for the SANS Internet Storm Center, wanted to know just how vulnerable these devices are to remote takeover, so he connected an older DVR to a cable modem Internet connection. What he saw next—a barrage of telnet connection attempts so dizzying it crashed his device—was depressing.

“The sad part is, that I didn’t have to wait long,” he wrote in a blog post published Monday. “The IP address is hit by telnet attempts pretty much every minute. Instead of having to wait for a long time to see an attack, my problem was that the DVR was often overwhelmed by the attacks, and the telnet server stopped responding. I had to reboot it every few minutes.”

The Internet of Things should, at this point, mostly be renamed the Internet of Threats.

Link

Two critical bugs and more malicious apps make for a bad week for Android

Ars Technica:

It was a bad week for millions of Android phone users. Two critical vulnerabilities were disclosed but remain unpatched in a large percentage of devices, while, separately, malicious apps were downloaded as many as 2.5 million times from Google’s official Play Marketplace.

The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday. A large percentage of Android phones, however, aren’t eligible to receive the fixes. Even those that do qualify don’t receive them immediately (the September updates are currently not available as over-the-air downloads for either of the Nexus 5X devices in my household). That gives attackers crude blueprints for exploiting vulnerabilities that remain unpatched on millions of devices.

The bag of hurt continues unabated.

Link

Vulnerabilities in Huawei Routers Discovered

While not exactly news that home and small enterprise routers tend to be insecure, the magnitude of the problems with Huawei’s devices was revealed at DefCon this year. Given the failure of the company’s engineers to recognize and navigate around longstanding security issues it seems particularly prudent for a public accounting of Huawei’s enterprise and ISP-focused routing products.