Dahua, the world’s second-largest maker of “Internet of Things” devices like security cameras and digital video recorders (DVRs), has shipped a software update that closes a gaping security hole in a wide range of its IP-cameras and DVRs. The vulnerability allows anyone to bypass the login process for these devices and gain remote (and direct) control over vulnerable systems. Adding urgency to the situation, there is now code available online that allows anyone to exploit this bug and commandeer a large number of IoT devices.
Researchers following up on last November’s re-emergent Shamoon malware attacks have found something even nastier. A new, more dangerous malware called StoneDrill has been detected by Kaspersky Labs as they were studying Shamoon malware that has hit the energy sector in the Middle East initially. It is a data destroying code that sits in a victim’s browser, and wipes any physical or logical path accessible with the target user’s privileges.
In its latest enforcement action in the realm of the Internet of Things, the Federal Trade Commission filed suit against D-Link Corporation, a Taiwan-based computer networking equipment manufacturer and its U.S. subsidiary, alleging that the defendants failed to employ adequate security measures for their wireless routers and surveillance cameras. Although D-Link promoted the security of its routers with claims like “EASY TO SECURE” and “ADVANCED NETWORK SECURITY,” the company neglected to take easy steps to avoid security flaws, the agency asserted in its California federal court complaint. According to the agency, D-Link accepted hard-coded login credentials and the use of “command injection,” which allowed remote attackers to take control of routers by sending commands over the Internet.