All news with #iot security tag

🔒 WHILL Inc. electric wheelchairs (Model C2 and Model F) are affected by a critical Bluetooth authentication vulnerability, CVE-2025-14346, that allows an attacker within wireless range to pair without credentials and issue movement and configuration commands. The flaw is rated CVSS 3.1 9.8 (CRITICAL) and is classified as CWE-306 Missing Authentication for Critical Function. WHILL deployed mitigations on 29 December 2025 that restrict unlock commands during motion, protect speed profiles, and obfuscate application JSON configuration files on Android and iOS.

🚢 A reported compromise affected an Italian ferry; investigators say the malware appears to have been installed physically on board rather than via a remote intrusion. Operators are assessing systems and safety impacts. Details remain limited while authorities investigate.

🔧 AWS IoT Device Management commands now support dynamic payloads and parameter validation, allowing developers to create reusable command templates with placeholders that are populated at execution time. Parameter validation rules verify values before execution to reduce errors and enforce expected formats or ranges. This makes it easier to send similar commands with variable settings—such as different thermostat temperatures—while streamlining command management across device fleets.

📷 South Korean authorities arrested four suspects after roughly 120,000 internet-connected IP cameras in homes and businesses were breached and sexually explicit footage was sold on an overseas adult site. Investigators indicate attackers likely exploited weak or default credentials and unpatched device software. Owners should replace factory passwords, use unique credentials and enable two-factor authentication; consider a reputable password manager such as Kaspersky Password Manager to generate and store strong, random passwords and one-time codes.

🔔 This week's ThreatsDay Bulletin highlights a packed week of cross-cutting threats: a Mirai variant dubbed Broadside exploiting TBK DVRs (CVE-2024-3721), widespread exploitation of React2Shell (CVE-2025-55182), and the leak of a ValleyRAT builder that includes a signed kernel-mode rootkit. Law enforcement actions ranged from Europol's 193 arrests in a VaaS crackdown to multiple national detentions, while Apple and Google issued broad spyware alerts. Researchers flagged >10,000 Docker Hub images leaking secrets and 19 malicious VS Code extensions that used a PNG disguise to deliver trojans, underscoring persistent supply-chain and user-facing risks.

🚨The Korean National Police arrested four suspects accused of hacking over 120,000 IP cameras in homes and businesses and selling stolen intimate footage on an overseas illegal adult website. Authorities say the suspects uploaded large volumes of voyeuristic content, identified dozens of victims, and have already arrested some buyers. Police are working with foreign investigators to locate site operators, notify victims, and pursue takedown and remedial actions. Victims were urged to reset passwords, disable unneeded remote access, and apply firmware updates to prevent further compromise.

🔔 The FCC has warned that attackers have been hijacking US radio transmission equipment to broadcast false Emergency Alert System tones and obscene material, exploiting unsecured Barix network audio devices. Intruders reconfigured devices to pull attacker-controlled streams, causing stations in Texas and Virginia to air unauthorized Attention Signals layered with offensive language. The FCC urged broadcasters to apply vendor patches, change default credentials, isolate EAS and Barix devices behind firewalls or VPNs, monitor logs, and report incidents to manufacturers, the FCC Operations Center and IC3.

🔒 Singaporean researchers demonstrated how inexpensive offline dashcams can be weaponized into a self‑propagating surveillance network. They identified common weaknesses — default or hardcoded Wi‑Fi credentials, exposed services (FTP/RTSP), MAC‑spoofing and replay attacks — that allow attackers to download video, audio, timestamps and GPS metadata. The team showed mass compromise is feasible and offered mitigation steps for vendors and drivers.

⚠️ Fortinet’s FortiGuard Labs identified a Mirai-based botnet called ShadowV2 that exploited known vulnerabilities in routers and other IoT devices from D-Link, TP-Link, DD-WRT and others during a major AWS outage, appearing active only for the outage window and possibly a test run. The malware is delivered via a downloader (binary.sh) that fetches payloads from 81[.]88[.]18[.]108 and uses XOR-encoded configuration and Mirai-style strings. ShadowV2 supports UDP, TCP and HTTP DDoS floods and receives commands from a C2 at 198[.]199[.]72[.]27. Fortinet published IoCs and emphasizes keeping firmware updated, noting many affected models are end-of-life and will not be patched.

⚠️ FortiGuard Labs observed a Mirai-derived botnet named ShadowV2 actively exploiting multiple known IoT firmware vulnerabilities to deliver a downloader and ELF payloads that enable remote takeover and DDoS operations. The activity, detected during a late‑October global AWS connectivity disruption, targeted a wide range of devices including D-Link, TP‑Link, DD‑WRT variants and DVR systems. ShadowV2 decodes a XOR-encoded configuration (key 0x22), contacts a hardcoded C2 (silverpath.shadowstresser.info / 81.88.18.108), and supports UDP, TCP and HTTP flood methods. Fortinet provides AV detections, IPS signatures for the exploited CVEs, and recommends firmware updates, network hardening, and continuous monitoring.

⚠️ASUS has released firmware updates to remediate nine vulnerabilities, including a critical authentication bypass (CVE-2025-59366) affecting routers with AiCloud enabled. The flaw is caused by an unintended Samba side effect and can be exploited by unauthenticated remote attackers chaining a path traversal and an OS command injection in low-complexity attacks. Users should apply the provided firmware (3.0.0.4_386, 3.0.0.4_388, 3.0.0.6_102) immediately or follow ASUS mitigation guidance for end-of-life models.

⚠️ Superbox media streaming boxes sold through retailers like BestBuy and Walmart have been found running intrusive, unofficial apps that can enlist buyers' Internet connections into distributed residential proxy networks and botnets. Censys researchers observed devices phoning home to Tencent QQ and a proxy service called Grass IO, and installing tools such as tcpdump and netcat while performing DNS hijacking and ARP spoofing. The boxes require removing Google Play and installing a third-party app store, increasing the risk of unauthorized relays, advertising fraud, and account takeovers. Consumers are advised to avoid uncertified Android TV devices and follow FBI and EFF guidance on suspicious app marketplaces.

⚠️ D-Link has issued an advisory for remotely exploitable command-execution vulnerabilities in its end-of-life DIR-878 router. A researcher using the name Yangyifan (GitHub: yifan20020708) published technical details and proof-of-concept code demonstrating the issues. Four CVEs are listed—three allow unauthenticated remote command execution and one is a USB/physical-access overflow. D-Link recommends replacing EOL units and disabling WAN/remote management until devices are replaced.

🔒 CISA reports that iCam365 ROBOT PT Camera P201 and Night Vision Camera QC021 (versions 43.4.0.0 and prior) allow unauthenticated access to ONVIF and RTSP services. Successful exploitation could expose live video streams and camera configuration data. Two CVEs were assigned (CVE-2025-64770 and CVE-2025-62674), with CISA-calculated CVSS v4 base scores of 7.0 and CVSS v3.1 scores of 6.8. iCam365 did not respond to CISA; recommended mitigations include network isolation, firewalling, and use of secure remote access methods.

⚠️ A remote-accessible out-of-bounds read vulnerability (CVE-2025-12056) in Shelly Pro 3EM can be triggered by a specially crafted Modbus request to force the device to access illegal memory addresses and reboot. CISA assigns a CVSS v4 score of 8.3 and warns this may result in a denial-of-service condition. Shelly did not respond to coordination; users should contact the vendor, keep devices updated, minimize network exposure, and follow recommended ICS defensive practices.

📡 AWS IoT Core Device Location now resolves approximate positions for Amazon Sidewalk-enabled devices using inputs such as WiFi access points, GNSS, and Bluetooth Low Energy. The service converts those inputs into geo-coordinates and delivers them to AWS IoT rules or MQTT topics to support asset tracking and geo-fencing without GPS hardware. To get started, install Sidewalk SDK v1.19 or later, provision devices in AWS IoT Core for Amazon Sidewalk, and enable location during provisioning. This capability is available in the AWS US-East (N. Virginia) Region; the Amazon Sidewalk network is available only in the United States.

🔒 AWS IoT Greengrass v2.16 adds a system log forwarder and a new nucleus lite (v2.3) with TPM 2.0 support. The system log forwarder uploads system logs to AWS CloudWatch to simplify debugging and centralize operational visibility for edge applications. The nucleus lite TPM integration provides a hardware-based root of trust for secure secrets storage and streamlined device authentication on resource-constrained devices. The update is available in all AWS Regions where Greengrass is offered.

🔒 CISA warns that Ubia's Ubox firmware (v1.1.124) exposes API credentials, potentially allowing remote attackers to access backend services. Successful exploitation could permit viewing live camera feeds or modifying device settings. The issue is tracked as CVE-2025-12636 with a CVSS v4 base score of 7.1. Users should minimize network exposure, isolate devices behind firewalls, use secure remote-access methods such as VPNs, and contact Ubia support for guidance.

🛡️ Cloudflare has begun redacting and hiding domains tied to the rapidly growing Aisuru botnet after those malicious hostnames repeatedly appeared atop its public domain rankings. The botnet — comprised of hundreds of thousands of compromised IoT devices — recently shifted from querying 8.8.8.8 to 1.1.1.1, flooding Cloudflare’s resolver and skewing popularity metrics. Cloudflare says attackers are likely both manipulating rankings and mounting attacks on its DNS service, and the company is refining its ranking algorithm while removing known malicious entries.

🔒 ISO 15118-2-compliant EV charging implementations using the SLAC protocol are vulnerable to spoofed measurements that can enable man‑in‑the‑middle attacks between vehicles and chargers, tracked as CVE-2025-12357 (CVSS v4 7.2). The issue is an improper restriction of communication channel (CWE-923) and may be exploitable wirelessly at close range via electromagnetic induction. ISO recommends using TLS (required in ISO 15118-20) with certificate chaining; CISA advises minimizing network exposure, isolating control networks, and using secure remote access methods.