ONEKEY announces automated detection of zero-day vulnerabilities

New platform for automated discovery of unknown 0-day vulnerabilities for producers of connected devices and operators of industrial control systems

DĂĽsseldorf/Germany, September 29, 2022  – For the first time, European IoT/OT security specialist ONEKEY is enabling software-based automated detection of previously unknown zero-day vulnerabilities in industrial products and control systems. This category poses one of the greatest risks to anything that uses software: “Zero-day attacks exploit security vulnerabilities that may have existed undetected for a long time and have not been detected by the producer of the devices and equipment. Therefore, there is no patch for the vulnerability and global attacks on affected devices can be devastating,” says Jan Wendenburg, CEO of ONEKEY. Among hackers, these vulnerabilities are even traded; a 0-day gap in iOS, Windows or Android can easily achieve prices in the seven-digit range. What is already dangerous for PCs can have threatening effects, can even lead to bankruptcy, on networked and intelligent plants and infrastructures in industry. Today, finding unknown software vulnerabilities is an enormously costly task – many producers therefore even voluntarily pay high sums of money to hackers to identify and mitigate security risks before immense damage occurs.

Undetected vulnerabilities
Previous automated solutions, on the other hand, search for patterns and files that have already been recognized as potentially dangerous. “The supreme discipline of software security is to automatically find completely unknown vulnerabilities. This makes software significantly safer and better protected against attacks worldwide. In addition, development times are shortened in the long term because vulnerabilities can be detected and fixed at an early stage. The result: improved security and savings in the cost structure,” explains Jan Wendenburg of ONEKEY. The company’s innovative technology platform uses a completely new automated detection function that has already uncovered several critical 0-day vulnerabilities. All vulnerabilities found would have led to the execution of a remote code in IoT devices. All that was required was an upload of the firmware image to ONEKEY’s analysis platform. Based on ONEKEY’s Responsible Disclosure Policy directed to producers who do not work directly with ONEKEY yet, confidential information is initially provided. According to the industry standard period of 90 days, the results of the vulnerability analysis will be made available to the public in detailed security advisories.

Troubleshooting advice
ONEKEY’s analysis platform automatically extracts the firmware, the attack surface is self-mapped and entry points for attackers are automatically identified. Dangerous functions that can be exploited by attackers are evaluated and verified, and only the truly relevant ones are highlighted. In addition to the rating of the actual threat, users also receive information on how to fix the vulnerability and indications on affected areas in the firmware application. “This new functionality – the automatic detection of 0-day vulnerabilities – marks the beginning of a new era in IoT/OT security. Therefore, we have registered as a CNA (CVE Numbering Authority) and are working with CISA to better coordinate responsible disclosure with vendors and increase the level of security of networked devices. Security in the Internet of Things is our mission!” emphasizes Jan Wendenburg, CEO of the security specialist ONEKEY.

For more details read our blog post “New Solution on Automated Zero-Day Exploits Discovery!”

About ONEKEY

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.

 

CONTACT:

Sara Fortmann

Marketing Manager

sara.fortmann@onekey.com

 

euromarcom public relations GmbH

+49 611 973 150

team@euromarcom.de