Several weeks ago Libelium was informed by IBM about some web vulnerabilities which had been found in the Meshlium Manager System. As Libelium considers security as a fundamental and essential core element for all its development projects new actions were taken immediately.
Responding to Libelium’s commitment to the security of IoT devices, the company took action instantaneously and all vulnerabilities detected were automatically amended with a new software version released on August 1st which is ready to be downloaded from the Manager System. (A complete list is attached to the end of this note).
Libelium cybersecurity team has been thoroughly working to make Meshlium IoT Gateway completely hacking-proof. Under a controlled test environment, they have implemented important safety measures to detect possible failures that could occur in extremely adverse circumstances and thus apply solutions to guarantee the maximum reliability of the IoT platform.
As a result of the tests carried out, new patches are available for Meshlium users to download with the updates of the Meshlium Manager System. The company informed about the “New Important Meshlium Software Upgrade” to all the developers through a newsletter. In fact, a new firmware update that solves the code injection problem is already available: Meshlium Manager System v4.0.9 (for current Meshlium generation) and Meshlium Manager System v3.2.9 (for the previous Meshlium generation).
Libelium truly appreciates IBM work in the detection as well as their responsible communication about this discovery. “Any device can be vulnerable. It is very important to continually test and develop the patches needed urgently to give confidence to users acting quickly,” says David Gascón, CTO of Libelium.
New Important Meshlium Software Upgrade
Dear Developer,
We are happy to inform that we have implemented new firmware versions for Meshlium that include important security updates.
They are available for free download following the instructions on the links below.
Meshlium Manager System v4.0.9 upgrades (current Meshlium generation):
- Security upgrades:
- HTTPS protocol for all ManagerSystem connections (you must add it as a trusted connection in your browser, explained in the chapter ” Accessing Meshlium–make it easy!” of the Meshlium Technical Guide.
- MySQL over SSL/TLS (new “sslroot” user).
- GnuPG to verify and validate the new update firmware.
- Manager System forms reinforced to avoid possible web exploits.
- Added AlibabaCloud cloud connector to ApsaraDB cloud service using MongoDB shell.
- The following cloud connectors have been updated: Amazon IoT, Cumulocity, Plasmacomp,Symphoni and Telit.
Meshlium Manager System v3.2.9 upgrades (former Meshlium generation):
- HTTPS protocol for all Manager System connections (HTTP also available).
- MySQL secure connections (SSH tunnel).
- GnuPG to encrypt and sign update files.
- Manager System forms reinforced to avoid possible web exploits.
In order to keep the Meshlium devices secured, we deeply encourage all users to apply the new version of the Manager System. To update your Meshlium, please follow the steps explained in the chapter “Upgrading Meshlium” of the Meshlium Technical Guide.
Best,
–The Libelium R&D Team
Download the PR in PDF format here.
See related: Why Libelium sensor nodes are immune to IoT Gateways attacks