Devices Using Blackberry QNX Must Be Patched; Fortinet WAF Management Interface is Vulnerable; T-Mobile Breach Exposed PINs of 850,000 Users

Assessing the impact of this vulnerability is very difficult. BlackBerry QNX is used in various devices: medical, industrial, automotive and more. The vulnerability is only exploitable if it is exposed via software running on a BlackBerry QNX device. This software is likely not part of BlackBerry QNX but created for a particular device. First try to get a handle on which devices actually use BlackBerry QNX in your environment, or if you use it in any products. The safe option is to patch regardless of exposure. Finally, any devices like this should always be segregated as much as possible.

Johannes Ullrich

The wide variety of embedded systems with QNX means updates are not going to be available at a specific point in time. Make sure only authorized connections are allowed, and apply the updates when available. Monitor for malfeasance or other signs of tampering.

Lee Neely

A patch will hopefully be released soon. But the vulnerable web based admin interface should not be exposed anyway, limiting exploitability.

Johannes Ullrich

T-Mobile, like other carriers, requires a full credit check across all three credit agencies for any new postpaid account. In supporting these credit checks, carriers are building large targets that are impossible to protect. The cost of this leak will be minimal to T-Mobile and is unlikely to change any behavior. As a consumer: Freeze your credit file, make it painful for companies like T-Mobile to make you a customer and maybe eventually they will realize that some fraud is less costly then storing excessive amounts of information that they do not know how to protect.

Johannes Ullrich

Of the 48M people impacted, almost 40M weren’t even current T-Mobile customers but the data was still stored and left unprotected. The GDPR regulations require data minimization be followed in data collection, defined as “limited to what is necessary in relation to the purposes for which they are processed” but unfortunately the mish-mash of outdated national privacy and fraud regulations in the US does not. The compromise of PIN numbers meant those 850,000 customers were vulnerable to SIM-swapping attacks.

John Pescatore

Retention of data, particularly for past customers is tricky with privacy laws. The mantra needs to be keep data for the minimum possible time. Make sure that you have clear retention policies, and they are followed, now update those processes and policies to incorporate relevant privacy laws. If you are archiving old data, monitor access to that archive carefully.

Lee Neely

It appears that this breach could be similar to the OPM breach of 2015. In that breach, one of the biggest issues is OPM had thousands if not millions of records online that were no longer needed. It appears the same could be for the T-Mobile breach, with data on almost 40 million people who are no longer T-Mobile customers, or never even were. The first rule of data security is the best way to secure data is not to collect / store the data.

Lance Spitzner

If there is a theme this week, it is SDK vulnerabilities. Kalay, ThroughTek and in some ways BlackBerry QNX fall into this category. The product itself may only be vulnerable if specific features in the SDK are used by third party software, making it difficult to identify vulnerable devices. The Kalay vulnerability is probably the easiest one to identify as it is linked to the use of the specific P2P protocol.

Johannes Ullrich

This is a “supply chain” issue in which the end user is unlikely to know that he is using affected products.

William Hugh Murray

So far, no information from Microsoft on why they originally decided this was not a security flaw, even though in July they did issue a patch for a very similar vulnerability in Windows, or why a month later they changed their mind. When a vendor declares they will not patch a proven exploitable flaw, disclosure has to happen in order for vulnerable users to take mitigation steps and for security vendors to add capabilities to detect and block attempts to exploit.

John Pescatore

These routers are no longer supported, and have not been supported by Cisco for a while. You may still mitigate the vulnerability by disabling UPnP. UPnP should be disabled anyway. But in general: Track the EoL status of any equipment in your network. Not all vendors will even announce vulnerabilities once a device is no longer supported. When purchasing equipment: Note the EoL date and do not purchase equipment if a vendor is not willing to commit to a minimum support time frame.

Johannes Ullrich

Lifecycle replacements, particularly for something which “isn’t broken” are a hard sell, particularly for SMB where margins are already tight. While we can argue the breach is more expensive than the fix, working with management to include these with other capital improvements in the long term budget lessons the blow. Prioritize replacements based on accessibility. Short term, there is no fix; if you have one of these devices (RV110W, RV130, RV130W or RV215W) replace it with a current model now.

Lee Neely

I’d be willing to bet that Cisco isn’t pushing a fix since these orgs simply do not demand it. Small and Medium Businesses often don’t have dedicated IT staff, let alone security staff to identify issues like this. If the router works and the business believes they are “too small to target” (or they don’t know they are vulnerable), there’s no push to fix. SMB is a in a tough spot as usual.

Tim Medin

Lots to unpack here. Patching, lifecycle management, monitoring, and incident reporting are all key cybersecurity activities. With EO14028 pushing for Zero Trust, as well as increased incident response and communication, these basic activities have to be addressed, and not all agencies are prepared. Begin with a discovery activity to make sure you know all your assets and what they do, then move to patching. While you’re touching things, make sure they are sending logs to a centralized repository, and have your SOC monitor and create alerts. DHS/CISA have resources you can leverage to help with this as well as reporting.

Lee Neely

As is usually the case, there are cautions for us all in these public audit reports.

William Hugh Murray

Embassy personnel are actually trained on emergency destruction processes to leave no useable systems or data (digital or paper) behind. With today’s practices, where more and more data is cloud based, when leaving a facility, it’s important to make sure that no information is left behind which could be used to access or recover an account to access that data. Sweep your old facility before handing it over to ensure nothing is overlooked.

Lee Neely