Security vulnerabilities in software of connected products of all kinds, especially in the field of IoT and industrial controls, such as routers, production plants or smart manufacturing, occur time and again. Only by providing timely information and support in fixing vulnerabilities can manufacturers and users prevent such vulnerabilities from being exploited. Not fixing vulnerabilities would be grossly negligent – once a vulnerability becomes known, it is often immediately exploited on a massive scale by hackers. “We are seeing a race between the experts on the good side and the hackers on the bad side. With reports on security vulnerabilities, the security advisories, which ONEKEY’s security experts continuously create, we support cybersecurity managers in closing discovered security gaps immediately. This prevents hackers from exploiting the often critical vulnerabilities,” says Jan Wendenburg, CEO of ONEKEY. The company operates a product cybersecurity platform that enables automated testing and risk assessment of connected smart products in minutes – in line with the requirements of the future European security law, the Cyber Resilience Act.
ONEKEY as a responsible partner of the industry
For years, a team of experienced cybersecurity researchers at ONEKEY has been working to uncover serious vulnerabilities in networked smart devices. In doing so, the manufacturers of the respective products are involved in a trustworthy manner. Prior to each publication of the security advisories, the manufacturers are informed in detail and are given sufficient time and opportunity to fix the vulnerabilities before publication. For an investigation, ONEKEY’s team of experts first uses the ONEKEY product security platform. The results are then reviewed and verified in more depth by the security experts. This also benefits the ONEKEY platform, which then automatically finds similar or identical security vulnerabilities and can give concrete advice on how to fix them.
Live Hacking on April 20th in Frankfurt
One of ONEKEY’s security experts, Quentin Kaiser, will demonstrate the dangers of undetected vulnerabilities during a live hacking session at the CYBICS 2023 security conference in Frankfurt, Germany, on April 20th. The event, titled “Compliance, Security and Best Practices: The Cyber Resilience Act,” is being held for the seventh time and is organised by isits AG International School of IT Security in collaboration with leading industry partners.
Over 60 critical vulnerability reports published
Over the past few years, ONEKEY technology has helped to discover and publish more than 60 security vulnerabilities. In early January of this year, a zero-day vulnerability was discovered in industrial router systems from WAGO.
But even the tools used for security analysis are not immune to vulnerabilities – in this context, ONEKEY’s security experts were able to show that a critical path traversal vulnerability in ReFirm Labs (now Microsoft) binwalk could be exploited by manipulating firmware images, allowing the execution of arbitrary commands on the security analyst’s workstation.
In February, a vulnerability in the web management interface was discovered during firmware testing of NetModule routers in industrial developement. The vulnerability could have allowed privileged users to execute unwanted commands or access critical data.
Today, ONEKEY published its latest security advisory regarding serious vulnerabilities discovered in the web management interface of Phoenix Contact’s industrial routers. The vulnerabilities allow authenticated users to execute arbitrary commands with elevated privileges or access arbitrary files on the system.
“The numerous examples show that security vulnerabilities of this kind are not an exception and also affect devices in industrial use. Our goal is therefore to work closely with manufacturers and users to provide early warning and give security managers the chance to fix the vulnerabilities before they are exploited by hackers,” explains Wendenburg. The company’s own product security platform and its own team of white hackers thus make a significant contribution to the security of IoT & OT networks worldwide.