ONEKEY security experts regularly uncover massive vulnerabilities in critical IoT & OT technologies

ONEKEY security experts regularly uncover massive vulnerabilities in critical IoT & OT technologies

Automated analysis and expert work significantly improve the security of IoT & OT devices

Duesseldorf, March 28, 2023 – Security vulnerabilities in software of connected products of all kinds, especially in the field of IoT and industrial controls, such as routers, production plants or smart manufacturing, occur time and again. Only by providing timely information and support in fixing vulnerabilities can manufacturers and users prevent such vulnerabilities from being exploited. Not fixing vulnerabilities would be grossly negligent – once a vulnerability becomes known, it is often immediately exploited on a massive scale by hackers. „We are seeing a race between the experts on the good side and the hackers on the bad side. With reports on security vulnerabilities, the security advisories, which ONEKEY’s security experts continuously create, we support cybersecurity managers in closing discovered security gaps immediately. This prevents hackers from exploiting the often critical vulnerabilities,“ says Jan Wendenburg, CEO of ONEKEY. The company operates a product cybersecurity platform that enables automated testing and risk assessment of connected smart products in minutes – in line with the requirements of the future European security law, the Cyber Resilience Act.

ONEKEY as a responsible partner of the industry

For years, a team of experienced cybersecurity researchers at ONEKEY has been working to uncover serious vulnerabilities in networked smart devices. In doing so, the manufacturers of the respective products are involved in a trustworthy manner. Prior to each publication of the security advisories, the manufacturers are informed in detail and are given sufficient time and opportunity to fix the vulnerabilities before publication. For an investigation, ONEKEY’s team of experts first uses the ONEKEY product security platform, which is also available to customers. The results are then reviewed and verified in more depth by the security experts. This also benefits the ONEKEY platform, which then automatically finds similar or identical security vulnerabilities and can give concrete advice on how to fix them. 

Live Hacking on April 20th in Frankfurt

One of ONEKEY’s security experts, Quentin Kaiser, will demonstrate the dangers of undetected vulnerabilities during a live hacking session at the CYBICS 2023 security conference in Frankfurt, Germany, on April 20. The event, titled „Compliance, Security and Best Practices: The Cyber Resilience Act,“ is being held for the seventh time and is organized by isits AG International School of IT Security in collaboration with leading industry partners. 

Over 60 critical vulnerability reports published

Over the past few years, ONEKEY technology has helped to discover and publish more than 60 security vulnerabilities. In early January of this year, a zero-day vulnerability was discovered in industrial router systems from WAGO. 

But even the tools used for security analysis are not immune to vulnerabilities – in this context, ONEKEY’s security experts were able to show that a critical path traversal vulnerability in ReFirm Labs (now Microsoft) binwalk could be exploited by manipulating firmware images, allowing the execution of arbitrary commands on the security analyst’s workstation.

In February, a vulnerability in the web management interface was discovered during firmware testing of NetModule routers in industrial developement. The vulnerability could have allowed privileged users to execute unwanted commands or access critical data. 

Today, ONEKEY published its latest security advisory regarding serious vulnerabilities discovered in the web management interface of Phoenix Contact’s industrial routers. The vulnerabilities allow authenticated users to execute arbitrary commands with elevated privileges or access arbitrary files on the system. 

„The numerous examples show that security vulnerabilities of this kind are not an exception and also affect devices in industrial use. Our goal is therefore to work closely with manufacturers and users to provide early warning and give security managers the chance to fix the vulnerabilities before they are exploited by hackers,“ explains Jan Wendenburg, CEO of ONEKEY. The company’s own product security platform and its own team of white hackers thus make a significant contribution to the security of IoT & OT networks worldwide. 

About ONEKEY: 

ONEKEY is a leading European specialist in product cybersecurity. The unique combination of an automated security & compliance software analysis platform and consulting services by cybersecurity experts provides fast, comprehensive analysis, and solutions in the area of IoT/OT product cybersecurity. Building upon automatically generated „Digital Twins“ and „Software Bill of Materials (SBOM)“ of devices, ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations, all without source code, device, or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time, and can thus be remediated in a targeted manner. The easy-to-integrate solution enables manufacturers, distributors, and users of IoT technology to quickly and continuously perform 24/7 security and compliance audits throughout the product lifecycle. Leading international companies in Asia, Europe, and America are already successfully benefiting from the ONEKEY platform and experts.