After hacking nuclear plants, Refrigerator, House Arrest Ankle Bracelet, Smartphones GPS Signals, Electronic Skateboards, Driverless Cars, Jeep, Computer Controlled Sniper Rifle and Jeep Cherokee etc, it is now time for hackers to exploit the remote hacking security flaw in gas detectors.
According to the ICS-CERT advisory, gas detector manufactured and sold by a US-based firm “Honeywell” are vulnerable to remote attacks from hackers. Once attacked, hackers can modify detector’s setting without any permission.
Versions affected by the vulnerability are Honeywell Midas version 1.13b1 and prior, and Honeywell Midas Black version 2.13b1 and prior, though the manufacturer has already worked on the fixes and have passed on to the consumers.
Earlier version of the detector more vulnerable
In the earlier versions, there are two vulnerabilities which affect the detectors and both are real critical as CVSS severity scores of both the detectors are 8.6 and 9.4 out of 10. Both can be exploited remotely.
First vulnerability can allow an attacker to bypass any authentication to log in to the device and also to make any modifications in the settings of the detectors.
The second one allows attackers to breach the login credentials of the user and also configure the gas detectors. The second vulnerability is basically improper encryption of authentication details so if attackers find a device within his range he can breach user’s login credentials.
Dangers posed by the security flaws:
These vulnerabilities can virtually take anyone’s life as vulnerability can allow hackers to raise the gas level to the level which can burn out the equipment and also the area in the surroundings.
That’s why the manufacturer has recommended user to use detectors in DMZ zones (demilitarized zone), firewall protections and only access the device via VPNs.
Furthermore, they should not connect to the network when not necessary and only keep the access to authorized personnel.
Note: Special thanks to the security researcher Maxim Rupp for conducting research on this security flaw.