Security Flaw in Honeywell Gas Detectors Can Virtually Kill People

After hacking nuclear plants, RefrigeratorHouse Arrest Ankle BraceletSmartphones GPS Signals, Electronic SkateboardsDriverless Cars, JeepComputer Controlled Sniper Rifle and Jeep Cherokee etc, it is now time for hackers to exploit the remote hacking security flaw in gas detectors.

According to the ICS-CERT advisory, gas detector manufactured and sold by a US-based firm “Honeywell” are vulnerable to remote attacks from hackers. Once attacked, hackers can modify detector’s setting without any permission.

Versions affected by the vulnerability are Honeywell Midas version 1.13b1 and prior, and Honeywell Midas Black version 2.13b1 and prior, though the manufacturer has already worked on the fixes and have passed on to the consumers.

Earlier version of the detector more vulnerable

Screen Shot 2015-12-09 at 1.02.59 AM
Honeywell Midas Gas detector | Image Source: Honeywellanalytics.com

In the earlier versions, there are two vulnerabilities which affect the detectors and both are real critical as CVSS severity scores of both the detectors are 8.6 and 9.4 out of 10. Both can be exploited remotely.

First vulnerability can allow an attacker to bypass any authentication to log in to the device and also to make any modifications in the settings of the detectors.

The second one allows attackers to breach the login credentials of the user and also configure the gas detectors. The second vulnerability is basically improper encryption of authentication details so if attackers find a device within his range he can breach user’s login credentials.

Dangers posed by the security flaws:

These vulnerabilities can virtually take anyone’s life as vulnerability can allow hackers to raise the gas level to the level which can burn out the equipment and also the area in the surroundings.

That’s why the manufacturer has recommended user to use detectors in DMZ zones (demilitarized zone), firewall protections and only access the device via VPNs.

 

Furthermore, they should not connect to the network when not necessary and only keep the access to authorized personnel.

Note: Special thanks to the security researcher Maxim Rupp for conducting research on this security flaw.

Featured Image ViaAlpha Coders
 

related items

Ryan De Souza

Ryan is a London-based member of the HackRead's Editorial team. A graduate of Maths and physics with a passion for geopolitics and human rights. Ryan places integrity at the pinnacle of successful journalism and believes this is somewhat lacking in traditional media. Ryan is an educator who balances his time between family, social activism and humanitarian causes and his vice is Football and cars.

more from hack read