New platform for automated discovery of unknown 0-day vulnerabilities for producers of connected devices and operators of industrial control systems
Düsseldorf/Germany, September 29, 2022 – For the first time, European IoT/OT security specialist ONEKEY is enabling software-based automated detection of previously unknown zero-day vulnerabilities in industrial products and control systems. This category poses one of the greatest risks to anything that uses software: “Zero-day attacks exploit security vulnerabilities that may have existed undetected for a long time and have not been detected by the producer of the devices and equipment. Therefore, there is no patch for the vulnerability and global attacks on affected devices can be devastating,” says Jan Wendenburg, CEO of ONEKEY. Among hackers, these vulnerabilities are even traded; a 0-day gap in iOS, Windows or Android can easily achieve prices in the seven-digit range. What is already dangerous for PCs can have threatening effects, can even lead to bankruptcy, on networked and intelligent plants and infrastructures in industry. Today, finding unknown software vulnerabilities is an enormously costly task – many producers therefore even voluntarily pay high sums of money to hackers to identify and mitigate security risks before immense damage occurs.
Undetected vulnerabilities Previous automated solutions, on the other hand, search for patterns and files that have already been recognized as potentially dangerous. “The supreme discipline of software security is to automatically find completely unknown vulnerabilities. This makes software significantly safer and better protected against attacks worldwide. In addition, development times are shortened in the long term because vulnerabilities can be detected and fixed at an early stage. The result: improved security and savings in the cost structure,” explains Jan Wendenburg of ONEKEY. The company’s innovative technology platform uses a completely new automated detection function that has already uncovered several critical 0-day vulnerabilities. All vulnerabilities found would have led to the execution of a remote code in IoT devices. All that was required was an upload of the firmware image to ONEKEY’s analysis platform. Based on ONEKEY’s Responsible Disclosure Policy directed to producers who do not work directly with ONEKEY yet, confidential information is initially provided. According to the industry standard period of 90 days, the results of the vulnerability analysis will be made available to the public in detailed security advisories.
Troubleshooting adviceONEKEY’s analysis platform automatically extracts the firmware, the attack surface is self-mapped and entry points for attackers are automatically identified. Dangerous functions that can be exploited by attackers are evaluated and verified, and only the truly relevant ones are highlighted. In addition to the rating of the actual threat, users also receive information on how to fix the vulnerability and indications on affected areas in the firmware application. “This new functionality – the automatic detection of 0-day vulnerabilities – marks the beginning of a new era in IoT/OT security. Therefore, we have registered as a CNA (CVE Numbering Authority) and are working with CISA to better coordinate responsible disclosure with vendors and increase the level of security of networked devices. Security in the Internet of Things is our mission!” emphasizes Jan Wendenburg, CEO of the security specialist ONEKEY.
For more details read our blog post “New Solution on Automated Zero-Day Exploits Discovery!”