Infrastructure, Industrial IoT
Staff Writer | September 07, 2023
Tuya Smart, an IoT service provider leader, and Amazon Web Services have collaborated to establish an IoT Collaborative Security Lab. This announcement at the re:Inforce China conference aims to enhance security, compliance capabilities, and technological innovation in the IoT industry, focusing on Matter PKI, DevSecOps, privacy computing, and international data compliance. It has prioritized security and compliance in IoT, actively engaging in IoT security initiatives and standards development.
Chief Information Security Officer, Joy Liu at Tuya Smart said,
Since the first day of its establishment, Tuya has regarded security and compliance as the core of our strategy and has always persisted in long-term construction and investment in security.
[Source: Tuya Smart]
Tuya Smart and AWS have been cooperating for nearly ten years, added Joy Liu. This has resulted in a deep integration of their cloud security products and a strengthening commitment to IoT security. In product design, Tuya systematically breaks down security requirements into actionable steps, ensuring security measures are integrated throughout the development process. This includes continuous monitoring, Zero Trust Provisioning over-the-air enhancements, user-focused privacy solutions, and vulnerability mitigation to enhance product security and dependability.
The Tuya IoT Development Platform has registered over 846,000 developers from over 200 countries and regions as of 30 June 2023.
In the ‘2022 Global IoT Security White Paper’ published jointlyby theioXt Alliance (Internet of Secure Things Alliance) andResearch Center for Cyber Governance (RCGCG) in 2022, Tuya Smart was recognized as one of the businesses with the most effective security practices. With the increasing application scenarios and the number of devices in the IoT, security concerns have become increasingly complicated. The 'Collaborative Security Lab,' a joint venture between AWS and Tuya Smart, strengthens both parties for IoT domain cooperation and exploration. This collaborative effort aims to provide industry-wide solutions.
About Tuya Smart
Tuya Smart is a technology company at the forefront of IoT connectivity solutions. Its cloud platform facilitates seamless device interconnectivity, setting interoperability standards for smart devices across industries. The company empowers partners and customers to enhance product value and consumer convenience. Its expanding Software as a Service (SaaS) offerings prioritize data security. Tuya’s transparent and open information security strategy increases partner and expert participation, thereby consolidating industry standards.
Cisco | September 14, 2023
Cisco disclosed eight vulnerabilities in the OAS platform’s engine configuration management functionality.
Three of the eight detected vulnerabilities were rated as high-severity.
The issues detected in OAS platform v18.00.0072 were addressed and, v19 was released.
Cisco's Talos security researchers have identified eight vulnerabilities in the Open Automation Software (OAS) Platform that can be exploited to bypass authentication, disclose sensitive information, and overwrite files. The OAS Platform is commonly used to facilitate communication and data transfer between servers, industrial control systems (ICS), IoT devices, and other hardware in industrial and enterprise settings.
The OAS Platform is widely deployed in industrial operations, enterprise environments, and cross-platform integrations. It plays a crucial role in facilitating communication and data exchange across various devices and systems, facilitating logging and notifications. The vulnerabilities pose a significant security risk, especially in environments where the OAS Platform is used for critical industrial and enterprise operations. Unauthorized access and data breaches can lead to operational disruptions and potentially compromise sensitive information.
Among the eight vulnerabilities, three are rated as high-severity. Cisco's Talos security researchers were responsible for discovering and disclosing these vulnerabilities. The most critical issues are CVE-2023-31242 and CVE-2023-34998, both of which are authentication bypass flaws. CVE-2023-31242 can be triggered through a sequence of requests, while CVE-2023-34998 can be exploited by sniffing network traffic. The identified vulnerabilities in the OAS Platform mainly revolve around authentication bypass, information disclosure, and file manipulation. Attackers could leverage these weaknesses to create new users, gain unauthorized access, decrypt sensitive information, and perform arbitrary file and directory actions.
These vulnerabilities essentially allow attackers to gain unauthorized access to the system by loading and saving configurations to a disk and installing them on other devices. The issues were identified in OAS Platform version 18 and have been addressed in the subsequent release, version 19.00.0000, highlighting the importance of keeping software up-to-date to mitigate security risks.
These issues stem from the fact that when the OAS engine is deployed, by default, no admin user is defined and no authentication is required to access functionality such as new user creation. Even if an admin user is created, the configuration must be stored prior to restarting the engine, or it will revert to its default state. An attacker can create a new user, save the changes, and thus gain access to the underlying system.
Also, the vulnerability enables an attacker to acquire a protobuf containing valid admin credentials and construct their own requests. The perpetrator could then again obtain access to the underlying system by utilizing the user creation and saving functionality. Cisco warns that these authentication bypass flaws could be combined with CVE-2023-34317, an improper input validation flaw in the user creation functionality, to gain access to the underlying system by adding ‘a user with the username field containing an SSH key.’
CVE-2023-34353 is another high-severity authentication bypass that allows an attacker to perform network snooping to acquire the protobuf containing admin credentials and then decrypt sensitive information. While two of the remaining vulnerabilities could result in information disclosure, the other two could be exploited to create or overwrite arbitrary files and create arbitrary directories.
Gorilla Technology Group | September 15, 2023
Gorilla Technology Group, a global provider of AI-based edge video analytics, IoT technologies, and security convergence, has entered into a partnership with Protactics, a Colombian-based enterprise specializing in integral solutions and technology for state-of-the-art security and defense equipment in Latin America.
Juan Arango, the COO of Protactics, expressed confidence in the partnership with Gorilla, stating that Protactics and Gorilla together are well-positioned to redefine security, defense, and smart cities across Latin America. This partnership highlights their unwavering commitment to pioneering solutions, harnessing the full potential of AI and Cybersecurity in the region, and ushering in an era of enhanced safety and technological advancement.
The collaboration aims to leverage Gorilla's innovative smart and safe city solutions to expand Protactics' presence in Latin America, focusing on the broader Latin American market. This partnership will accelerate the adoption of AI and cybersecurity solutions in Latin America, enhancing safety and security in the rapidly evolving technological landscape of the region.
Established in July 2023, it grants Protactics the rights to offer sales and support for Gorilla's AI-based Video Analytics and Security Convergence solutions in select Latin American markets, including Mexico, Colombia and Venezuela. Additionally, Protactics will acquire Gorilla's solutions to conduct customer demonstrations and training for its team of experts.
Vice President at EMEA, Gorilla Technology, William Addison, stated,
The partnership is a resounding win for both Protactics and Gorilla. We believe this collaboration will expedite the adoption of AI & Cybersecurity solutions in Latin America. With our shared values of providing superior technology to enhance safety and security, we are excited to drive innovation and create a lasting relationship with Protactics to positively impact Latin America's rapidly evolving technological landscape.
Chairman and CEO of Gorilla Technology, Jay Chandan, remarked that their collaboration with Protactics strengthens their determination to expand Gorilla further as part of their global expansion strategy. This partnership extends the reach into markets with significant potential as they embark on digitalization and the implementation of smart and secure city solutions. He extended their thoughts that they are confident about the cooperation of their new partner and that they together will deliver outstanding deployments throughout Latin America, creating sustainable solutions and enhancing community protection and economic growth.
About Gorilla Technology Group
Gorilla Technology Group is a global solutions provider specializing in security intelligence, network intelligence, business intelligence, and IoT technology. Gorilla offers a diverse range of solutions, including smart city, network, video, security convergence, and IoT services across various sectors. Through relentless technological advancements, ethical practices, and an unwavering dedication to quality, the company aspires to shape a future where every interaction, transaction, and experience is elevated through technology.
Protactics, based in Bogota, Colombia, specializes in providing unique security and defense equipment. Its product range encompasses cybersecurity solutions, smart law enforcement tools, non-invasive inspection systems, end-to-end encrypted storage and data management, contraband detection technologies, and biometric fever screening devices. Protactics plays a pivotal role in enabling government agencies to elevate their security and defense capabilities.