Embedded Security Timeline September 2024

Posted in

Original post date: November 8, 2024

Last updated: November 8, 2024

This is my subjective choice of security events from September 2024 that might interest embedded developers.

Recommended usage method: scan the list and find out which events interest you. Investigate them! Store the whole timeline for future reference.

For transparency, I mark with (*) events I have been involved with and events by organizations I’m involved with. I am also a guest author at LWN but I have not written any of the articles linked this month.

September 4th: A vulnerability in Yubikey FIDO keys allows (with advanced equipment and physical access to the device) to clone the keys. A fixed firmware is available, but it turns out that Yubikey does not allow an update of firmware in deployed keys. See the Bleeping Computer coverage: https://www.bleepingcomputer.com/news/security/new-eucleak-attack-lets-threat-actors-clone-yubikey-fido-keys/

September 7th to 10th: New side channel attacks have been presented from the same team. One is using acoustic to leak secrets from LCD screen noise, the other generates electromagnetic radiation from device’s RAM. Bleeping Computer coverage: https://www.bleepingcomputer.com/news/security/new-rambo-attack-steals-data-using-ram-in-air-gapped-computers/ and https://www.bleepingcomputer.com/news/security/new-pixhell-acoustic-attack-leaks-secrets-from-lcd-screen-noise/

September 15th: Linux kernel 6.11 has been released. It includes support for running under AMD’s SEV-SNP secure encrypted virtual machines on x86, updates in BPF and Rust support (including the possibility to write block drivers), new AES-GCM cipher implementation for x86-64, support of STACKLEAK on RiSC-V, the “dedicated bucket slub allocator” helping preventing heap-based attacks, and acceleration of random generation via getrandom() in vDSO.

From September 15th to 20th: The week of conferences in Vienna, Open Source Summit and Linux Plumbers. Multiple embedded and security talks.

September 18th: Pager explosions in Lebanon killing at least 12. From the available analysis, it looks like a long-term supply chain attack, possibly with a change in the embedded device itself. The situation also shows the complexity in electronics’ supply chains. News coverage: https://www.nytimes.com/2024/09/18/world/middleeast/hezbollah-israel-pager-lebanon.html and https://www.nytimes.com/2024/09/18/world/asia/taiwan-pagers-lebanon.html

September 18th: A report about dismantlement of a 250k+ devices botnet of network devices like routers and IP cameras. Bleeping Computer coverage: https://www.bleepingcomputer.com/news/security/flax-typhoon-hackers-infect-260-000-routers-ip-cameras-with-botnet-malware/

September 19th: Cryptographers publish a paper on the security of the Linux random number generator after the changes in 5.17, concluding as satisfactory https://eprint.iacr.org/2024/1421.pdf

September 20th: The last part of the real-time patchset “PREEMPT_RT” has been merged to the Linux kernel. This should decrease fragmentation and the amount of out-of-tree code in embedded devices, and be an indirect gain in security.

September 23rd: The US Department of Commerce proposes to ban automotive software and hardware from China and Russia. See DarkReading coverage: https://www.darkreading.com/cyberattacks-data-breaches/us-ban-automotive-software-hardware-china-russia

September 25th: Bleeping Computer is reporting on CISA’s (the American cybersecurity agency) warning against basic attacks against civil infrastructure like water treatment plants or industry. The attack types they mention include usage of default passwords, brute force and more. Bleeping Computer article: https://www.bleepingcomputer.com/news/security/cisa-hackers-target-industrial-systems-using-unsophisticated-methods/

September 26th: A release of a series of CUPS (Linux printing system) vulnerabilities after communication issues between the researcher and developers. CUPS might be installed in some embedded systems and a workaround would be to disable CUPS access by a firewall. Researcher’s view: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/ and OSS-security discussion: https://www.openwall.com/lists/oss-security/2024/09/26/5 My explanation of the issue: https://www.linkedin.com/posts/mrybczynska_the-cups-disclosure-activity-7245318173762154496-9EZg The vulnerability could be used by attackers to perform a cheap denial of service attack as reported by Dark Reading: https://www.darkreading.com/vulnerabilities-threats/unix-printing-vulnerabilities-easy-ddos-attacks

If you have an additional event to add, message me.

Subscribe to the newsletter to receive it directly!

Previous editions: August 2024 July 2024 June 2024 May 2024

News: The “Embedded Security” sessions of December (Americas-friendly) and January (Europe-friendly) have open slots available. The practical, hands-on course is designed to allow embedded developers to include security best practices in their day-to-day work from day one. No need to be a security expert. Reserve your spot now at https://ygreky.com/2024/09/embedded-security/