Enlarge (credit: Getty Images)

As many as 91,000 LG TVs face the risk of being commandeered unless they receive a just-released security update patching four critical vulnerabilities discovered late last year.

The vulnerabilities are found in four LG TV models that collectively comprise slightly more than 88,000 units around the world, according to results returned by the Shodan search engine for Internet-connected devices. The vast majority of those units are located in South Korea, followed by Hong Kong, the US, Sweden, and Finland. The models are:

• LG43UM7000PLA running webOS 4.9.7 - 5.30.40
• OLED55CXPUA running webOS 5.5.0 - 04.50.51
• OLED48C1PUB running webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50
• OLED55A23LA running webOS 7.3.1-43 (mullet-mebin) - 03.33.85

Starting Wednesday, updates are available through these devices’ settings menu.

Enlarge (credit: Getty Images)

For the past year, previously unknown self-replicating malware has been compromising Linux devices around the world and installing cryptomining malware that takes unusual steps to conceal its inner workings, researchers said.

The worm is a customized version of Mirai, the botnet malware that infects Linux-based servers, routers, Web cameras, and other so-called Internet-of-things devices. Mirai came to light in 2016 when it was used to deliver record-setting distributed denial-of-service attacks that paralyzed key parts of the Internet that year. The creators soon released the underlying source code, a move that allowed a wide array of crime groups from around the world to incorporate Mirai into their own attack campaigns. Once taking hold of a Linux device, Mirai uses it as a platform to infect other vulnerable devices, a design that makes it a worm, meaning it self-replicates.

Dime-a-dozen malware with a twist

Traditionally, Mirai and its many variants have spread when one infected device scans the Internet looking for other devices that accept Telnet connections . The infected devices then attempt to crack the telnet password by guessing default and commonly used credential pairs. When successful, the newly infected devices target additional devices, using the same technique. Mirai has primarily been used to wage DDoSes. Given the large amounts of bandwidth available to many such devices, the floods of junk traffic are often huge, giving the botnet as a whole tremendous power.

Enlarge (credit: Aurich Lawson / Ars Technica )

Miscreants are actively exploiting two new zero-day vulnerabilities to wrangle routers and video recorders into a hostile botnet used in distributed denial-of-service attacks, researchers from networking firm Akamai said Thursday.

Both of the vulnerabilities, which were previously unknown to their manufacturers and to the security research community at large, allow for the remote execution of malicious code when the affected devices use default administrative credentials, according to an Akamai post . Unknown attackers have been exploiting the zero-days to compromise the devices so they can be infected with Mirai, a potent piece of open source software that makes routers, cameras, and other types of Internet of Things devices part of a botnet that’s capable of waging DDoSes of previously unimaginable sizes.

Akamai researchers said one of the zero-days under attack resides in one or more models of network video recorders. The other zero-day resides in an “outlet-based wireless LAN router built for hotels and residential applications.” The router is sold by a Japan-based manufacturer, which “produces multiple switches and routers.” The router feature being exploited is “a very common one,” and the researchers can’t rule out the possibility it’s being exploited in multiple router models sold by the manufacturer.

Enlarge / The U.S. Cyber Trust Mark logos, which may or may not have an assigned order at the moment. Which one most says "secure" to you? (credit: Federal Communications Commission)

The goal of the new US Cyber Trust Mark , coming voluntarily to Internet of Things (IoT) devices by the end of 2024, is to keep people from having to do deep research before buying a thermostat, sprinkler controller, or baby monitor.

If you see a shield with a microchip in it that's a certain color, you'll know something by comparing it to other shields. What exactly that shield will mean is not yet decided. The related National Institute of Standards and Technology report suggests it will involve encrypted transmission and storage, software updates, and how much control a buyer has over passwords and data retention. But the only thing really new since the initiative's October 2022 announcement is the look of the label, a slightly more firm timeline, and more input and discussion meetings to follow.

At the moment, the Mark exists as a Notice of Proposed Rulemaking (NPRM) at the Federal Communications Commission. The FCC wants to hear from stakeholders about the scope of devices that can be labeled and which entity should oversee the program, verify the standards, and handle consumer education.

Enlarge / This guy? This guy can be tricked into offering remote control if you give it a long name. But he's too old for his maker to care much about that.

I once co-owned a coworking space. The space had doors with magnetic locks, unlocked by a powered relay. My partners and I realized that, if we could switch power to the system on and off, we could remotely control the door lock. One of us had a first-generation Wemo plug, so we hooked that up, and then the programmer among us set up a script that, passing Python commands over the local network, switched the door lock open and closed.

Sometimes it would occur to me that it was kind of weird that, without authentication, you could just shout Python commands at a Wemo and it would toggle. I'm having the same feeling today about a device that's one generation newer and yet also possesses fatal flaws.

IoT security research firm Sternum has discovered ( and disclosed ) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2 . The firm's blog post is full of interesting details about how this device works (and doesn't), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit—a limit enforced solely by Wemo's own apps—with third-party tools. Inside that overflow you could inject operable code. If your Wemo is connected to the wider Internet, it could be compromised remotely.

Enlarge / The Monitor-IO in its natural habitat, glowing green to let you know that everything is copacetic with the network to which it's connected. (credit: Jim Salter)

Monitor-IO was a gadget that did one thing: live near a router and tell you how its network is doing. It did this both with detailed reports you could access from the local network and with a screen that glowed one of three colors: green for good, purple for problems, and red for dead. It could replace, or at least augment, typing a bunch of IP addresses into a browser and waiting for them to time out.

We liked the device when we reviewed it in August 2018 , despite our broad understanding of it as a "butter-passing robot," a device that relays information you could otherwise find out on your own. It had, beyond color-coded awareness, "obvious technical chops and real, careful attention to detail" in how it measured and what it could report. However, we also noted that the $100 price made sense for a small business but "might be a bit steep" for a household on a tight budget.

Monitor-IO seems to have run out of people willing to pay for better network awareness. In an "End-of-service" notice posted on its site , the company cites "rising costs and supply chain issues," among other "numerous headwinds." Faced with no better option, Monitor-IO is shutting down its business and monitoring service on April 15, 2023. (Support will be offered through May 30, 2023.)

Enlarge (credit: Getty Images)

A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them is advising anyone using one to immediately disconnect it until they are fixed.

Each $80 device used to open and close garage doors and control home security alarms and smart power plugs employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time.

Immediately unplug all Nexx devices

The result: Anyone with a moderate technical background can search Nexx servers for a given email address, device ID, or name and then issue commands to the associated controller. (Nexx controllers for home security alarms are susceptible to a similar class of vulnerabilities.) Commands allow the opening of a door, turning off a device connected to a smart plug, or disarming an alarm. Worse still, over the past three months, personnel for Texas-based Nexx haven’t responded to multiple private messages warning of the vulnerabilities.