Kudelski IoT Security Labs recently issued a critical security alert concerning the Pollen Mobile and CBRS, FreedomFi gateways, and routers deployed by Althea Network. This alert sheds light on a significant vulnerability: these devices are susceptible to physical attacks, potentially allowing attackers to gain root access to the system.
Our findings at Kudelski IoT Security Labs revealed that equipment used in the Pollen Mobile network, Helium network, and Althea Network lack protection against local attacks. This vulnerability can severely impact the confidentiality of the data processed and the secrets stored on these devices. The risks include:
At Kudelski IoT, we believe in a proactive approach to IoT security. Our Device Security Discovery service is designed to identify and mitigate such risks, ensuring the safety and integrity of IoT devices. Our methods include:
The vulnerabilities we've identified highlight the critical need for advanced security measures in the IoT sector. Our over 25 years of research and security analysis of digital systems have equipped us with the expertise to offer IoT device manufacturers the essential insights they need to fortify their devices against such vulnerabilities.
Our commitment at Kudelski IoT is to ensure that IoT devices are not only functional and user-friendly but also secure and resilient against emerging threats. We are dedicated to assisting IoT device manufacturers in navigating these challenges and ensuring the security of their devices and users.
Responsible disclosure is a cybersecurity concept that involves a specific approach to disclosing vulnerabilities in software or systems. Under this model, a security researcher who discovers a vulnerability communicates it to the organization that owns the system, instead of publicly revealing it. This private disclosureallows the organization time to fix the vulnerability before the details are made public, reducing the risk of exploitation by malicious actors. The responsible disclosure process often includes an agreed-upon timeframe for the organization to address the issue. After this period, or once a patch is released, the researcher may publish their findings, often receiving credit for their discovery. This approach aims to balance the need for public awareness of security issues with the need to prevent widespread harm by malicious exploitation of vulnerabilities.
To date, none of the parties we notified responded to us, and to our knowledge, none of the parties have taken the necessary actions to remediate the identified vulnerabilities. This lack of responsiveness is concerning as it potentially exposes users to significant security risks. We will revise this statement as appropriate if we receive feedback from the parties we notified.
Understand the security level of your devices so you can fix identified security gaps.