Spring is finally here, but so is a new software vulnerability with the same name. As HIPAA Journal reports, “Two remote code execution vulnerabilities have been identified in the Spring platform – a popular application framework that software developers use for rapidly building Java applications.” Alongside this discovery, it has also been disclosed that proof-of-concept exploits connected to them have been identified in the public domain, with one confirmed as being “actively” compromised. While not considered as detrimental as Log4Shell, this issue, now known as Spring4Shell, is representative of a larger issue. Bad actors and unauthorized users are increasingly capable of taking advantage of code and applications remotely. Therefore, as we welcome in Spring cleaning season, it is essential for us to focus on our cybersecurity hygiene.
New Cybersecurity Threats Impact UPS Devices
Spring4Shell isn’t the only vulnerability posing risks to cybersecurity. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DoE) recently issued a joint advisory concerning attacks against internet-connected uninterruptible power supply (UPS) devices, according to The Hacker News. While offering a number of benefits such as enabling power monitoring and maintenance for administrators overseeing these devices in cases when emergency power is needed, the fact that they are more and more reliant on internet of things (IoT) tech means that they are also more and more open to harmful activity.
Just weeks before the CISA and DoE released their warning, Armis researchers revealed that products made by Schneider Electric subsidiary APC were impacted by “critical vulnerabilities that can be exploited to remotely hack and damage devices,” as described in Security Week. The vulnerabilities, which Armis dubbed TLStorm, have the potential to affect nearly 80% of companies that utilize APC’s UPS devices. Of those companies are organizations such as data centers, hospitals and industrial facilities. Although updates with patches have been developed, one of the major worries is that attackers can “remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation,” based on information from the researchers.
Honda Bug Reflects Growing Concern Around Auto Vulnerabilities
So, what does this all have to do with cars? While remote access vulnerabilities spark cybersecurity concerns elsewhere, they are also making their way into the auto industry. As shared in a Threatpost article, a ” bug was recently found in the communications between the remote keyless entry function on Honda and Acura cars.” Such an issue has the potential to allow hackers access to functions like locking and unlocking the car, and even engine control. A representative of Honda told the outlet that these actions are only possible if within proximity to the vehicle and assured that, even if they were to take such advantage, a thief still wouldn’t be able to actually drive the car away.
However, a fairly minor example like this is still indicative of a burgeoning issue within the auto industry. As we’ve stated in previous posts, with the growing use of connected technology comes an expanded threat landscape. For example, when conducting research, a team at Oxford University discovered that they could compromise flaws in the Combined Charging System to cut off charging for electric vehicles. As they shared with Threatpost, “The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously.”
Considering these evolving trends, it is critical that we continue to uplift cybersecurity as a priority in the automotive field. So, as you prepare to review your own practices, make sure to look through the resources and tools available at Dellfer.
- “Warnings Issued About Vulnerabilities in the Spring Application Building Platform and UPS Devices” – HIPAA Journal
- “CISA Warns of Ongoing Cyber Attacks Targeting Internet-Connected UPS Devices” – Ravie Lakshmanan, The Hacker News
- “Millions of APC Smart UPS Devices Can Be Remotely Hacked, Damaged” – Eduard Kovacs, Security Week
- “Automaker Cybersecurity Lagging Behind Tech Adoption, Experts Warn” – Becky Bracken, Threatpost