Many zero-day vulnerabilities that IoT suppliers heard about at the Pwn2Own competition are preventable
Pwn2Own is a well-known hacking competition, held annually as part of a security conference. Since the first event in 2007, this “white-hat” showdown has challenged participants to uncover and exploit previously unknown vulnerabilities in popular software and devices, in a range of categories, including web browsers, virtualization software, and automotive systems. Winners are rewarded with the device they succeed in exploiting, and a cash prize. The event plays an important role in identifying security flaws, prompting vendors to enhance security measures and contributing to the overall improvement of cybersecurity practices.
Fast approaching down the road, the second Pwn2Own Automotive competition will be held January 22-24, at the Automotive World conference in Tokyo, Japan. During the first such competition, 49 unique zero-day vulnerabilities were discovered.
Zero-day Vulnerabilities
Zero-day vulnerabilities in software (or hardware) are flaws for which no patches or fixes are currently available. If such a vulnerability were to be made public and exploited by a malicious actor, serios damage could be done.
At the recent competition (October 2024), numerous such vulnerabilities in a range of IoT products were uncovered, and multiple attempts were made to exploit them. The event highlighted the vulnerability of these devices to various attack vectors, underscoring the importance of security updates and best practices for protecting sensitive data.
The competition invited hackers to show their capabilities using one or more vectors in a range of products:
- Network Attached Storage (NAS) devices, such as those from QNAP, Synology, and TrueNAS
- Surveillance cameras (Lorex, Ubiquiti)
- Printers (Canon, HP, Lexmark)
- Smart Speakers (Sonos Era 300)
- Mobile Phones (Samsung Galaxy)
- Home Automation Hubs (Aeotec)
- SOHO SMASHUP – i.e., a chain of exploits used to compromise multiple devices in a simulated office environment (routers and NAS devices from QNAP, printers from Lexmark, and NAS devices from TrueNAS); Vulnerabilities exploited related to command injection, SQL injection, authentication bypass, improper certificate validation, and hardcoded cryptographic keys.
For example:
- An integer overflow weakness was used to exploit a Lexmark printer.
- Two vulnerabilities were exploited in TrueNAS X.
- TrueNAS Mini X was also the victim of a two-bug exploit.
- A chain of six vulnerabilities was employed to move from the QNAP QHora-322 to the Lexmark CX331adwe.
Findings
The types of vulnerabilities found over the four days of the event can be divided into several main groups:
- Memory Corruption, Heap-Based Buffer Overflow, Stack-Based Buffer Overflow, Out-of-Bounds Write, Untrusted Pointer Dereference, Use-After-Free (UAF), Type Confusion
- Authentication Bypass, Missing Authentication, Cryptographic Key (Hardcoded), Improper Verification of Cryptographic Signature, Improper Certificate Validation, Unprotected Primary Channel
- Path Traversal
- SQL Injection, Command Injection, Argument Injection, Improper Neutralization of Argument Delimiters, CRLF Injection
Key observations are summarized on the NasCompares site:
- Prevalence of Web Application Vulnerabilities
- Memory Corruption Issues: Stack-based buffer overflow in particular was successfully used in numerous exploits throughout the competition. Note: In addition, at an earlier Pwn2Own competition, in March of this year, Synacktiv used a single integer overflow flaw to exploit a Tesla ECU with Vehicle (VEH) CAN BUS Control.
- Importance of Secure Configuration and Authentication
- Insights from SOHO SMASHUPs, highlighting the need for comprehensive security assessments that consider the interconnectedness of devices within a network.
Overall, the event reinforces the need for users to maintain a proactive security posture:
- ensure their devices are updated with the latest security patches/updates
- follow best practices to mitigate the indicated risks.
Preventive Measures: Automated Device Hardening
The risk of memory corruption attacks, including buffer overflow exploits, can be avoided and mitigated before deployment, way before an attack vector is discovered in a running system. Karamba Security has developed products that can be used by manufacturers and suppliers, during and after development, to prevent or mitigate such attacks as well as “dropper” attacks.
Karamba’s flagship cyber protection solution is XGuard, a firmware protection and reporting layer. The XGuard deterministic protection approach is integrated on two levels:
- Control-flow integrity (CFI): At the program-flow level, where forward (call) validation and backward (return) validation is carried out
- Allow-listing: At the file level, where only a defined set of processes can be launched; This can further be limited such that each of the legal processes can only be run by a narrow set of processes.
This layer of device hardening eliminates the need for frequent policy updates, and it proactively blocks any attempts – such as those carried out at the Pwn2Own competition – to run foreign code, or impact sensitive files. Continuous device protection and operational integrity are thus ensured.
Karamba’s XGuard Suite solutions are currently in use in millions of connected vehicles and IoT devices (such as printers, solar panels, and medical devices).
In addition, a binary analysis tool, VCode, is used to scan IoT software binaries, including those from third-party suppliers, to identify vulnerabilities and configuration issues and to generate reports such as Software Bills of Material (SBOM).
Read more on our web site, and download related white papers, on how the XGuard Suite and VCode strengthen product security postures.
