As more electric vehicles are sold, the risk to compromised charging stations looms large alongside the potential for major cybersecurity exploits.

Source: Rosemary Roberts via Alamy Stock Photo

The increasing popularity of electric vehicles (EVs) isn't just a favorite for gas-conscious consumers, but also for cybercriminals who focus on using EV charging stations to launch far-reaching attacks. This is because every charging point, whether inside a private garage or on a public parking lot, is online and running a variety of software that interacts with payment systems and the electric grid, along with storing driver identities. In other words, they are an Internet of Things (IoT) software sinkhole.

"As EV charging becomes more widespread, they will become appealing targets to more sophisticated hacking groups," says Hooman Shahidi, the CEO of EVPassport, a charging network provider. "Providers need to think of their products as critical infrastructure and a critical component of our national security." There are 2.5 million electric vehicles operating in the US, and more than half of them require plug-in chargers. Acknowledging their popularity, back in 2022, the UK mandated charging stations be built in all new residential construction.

Charging stations face significant cybersecurity risks. "Issues include unprotected Internet connectivity, insufficient authentication and encryption, absence of network segmentation, unmanaged energy assets, and more," wrote researchers from Check Point Software and SaiFlow, the latter a cybersecurity specialist in distributed energy solutions. Compromised stations could damage the power grid, for example, or result in stolen customer data. “Chargers have personal and payment information and run a variety of protocols that aren't typically recognized by traditional firewalls," says Check Point Software's Aaron Rose, who works in the office of the CTO.

The early stages of cyberattacks on charging stations began a few years ago, when one Russian station was attacked in February 2022 in response to the Ukraine war and three more were compromised in the United Kingdom in April 2022. Both situations were more cyber pranks that displayed rude messages on the screens of the units. Shell patched a vulnerability last year in one database that could have exposed millions of charging logs from across its EV charging network.

New vulnerabilities continue to plague charging stations. Two of them could lead to remote code execution and potential data theft, discovered by SaiFlow earlier this year. The exploits take advantage of weak authentication routines among the various software modules that are used in the stations, according to their research. Charging station vendor Enel X Way lists a variety of other data compromises involving vehicle ID numbers, as well as exploits that could gain remote access to the vehicle controls.

Elias Bou-Harb is a computer scientist with the Louisiana State University who has long studied charging station security. He has found almost every charging product has major vulnerabilities, including well-known attack methods such as SQL injection and cross-site scripting. "What is particularly alarming is that some well-known protective measures haven't been implemented by most of the vendors, and that few of them have taken steps to improve their security even after we identified these weaknesses."

**IoT Devices Remain Attractive Targets**

Certainly, threats from charging stations aren't the only IoT devices that are targets of opportunity for cyberattackers. And the stations are just one of a multitude of IoT devices where exploits continue to increase. The combination of numerous smaller vendors with poor security design and practice and numerous automated tools such as botnets to locate and compromise various devices makes all IoT devices easy targets for hackers. Data from the US Federal Communications Commission (FCC) increased since then.

But the charging stations do represent a complex — and therefore very rich and potentially exploitable — combination of elements that can go beyond smart TVs and smart speakers. For example, Check Point's Rose says that "chargers have similar risk profiles but present a different attack surface to other smart devices."

What this means is that the chargers run management software tools "in between the EV user and the car and between the charging station and the power grid and coordinate billing, authentication, and supplied power," Bou-Harb says. "And adding to this complexity, all of this is also deployed by the charging vendors in the cloud." His research has found that some of the software run by these stations has been exploited for years, "and that vendors haven't yet realized they have been compromised, let alone fixed the problems."

Enel X Way's blog post lists a comprehensive eight-point framework for charging stations that covers identity access, risk management, emergency response, and other factors. 

**In Regulators' Crosshairs**

Both the US and Europe are making regulatory steps to try to rein in charging stations, both public and private. The UK has had an anti-tampering law in effect since 2022 relevant to the home-based charging stations. This resulted in security improvements from several vendors, as recently reported. Wallbox, a charging station vendor, added extra security safeguards to its equipment to comply with these regulations, while other vendors have dropped out of European markets rather than improve their products. 

The EU has proposed new cybersecurity safeguards for electric grid operators and IoT vendors in its NIS2 directive last year that will take effect in October. It includes stricter breach reporting requirements and levies higher fines, among other items. 

Another proposal is to have the charging station industry self-certify their devices, like what Underwriters Laboratories does for various electronics. European automotive safety vendor Dekra proposed a public charging station certification program that it claims is an industry first. It offers three different levels that range from providing basic security services to penetration testing of the equipment. 

The US is lagging in these efforts. Last summer, the Biden administration proposed a cybersecurity labeling program for smart home devices. Dubbed the Cyber Trust Mark, it would be administered by the FCC, based on work developed by the National Institute of Standards and Technology. "The Cyber Trust Mark is a great idea," Check Point's Rose says. "But execution is going to be key. The mark must be updated and based on doing continuous testing of devices."

Last year, the National Institute of Standards and Technology (NIST) also proposed a series of recommendations for public charging stations to improve their cybersecurity. However, one key element of the NIST, Cyber Trust, and Dekra initiatives is that they are all voluntary. "The charging stations' guidelines are a positive development," Ravi Lingarkar, vice president of product management at Akitra, wrote on LinkedIn. "Without uniform cybersecurity standards, EV charging stations can become easy targets for hackers. It's like enabling anyone to bring their own device to the grid. Given the rapid expansion of the EV charging infrastructure, cybersecurity is at the forefront of many potential problems." 

Still, these efforts are early and incomplete. "The government regulations have come too late," Bou-Harb says. "The market is already saturated with various charging products. These vendors don't really care about the security of their devices, which is often more of an afterthought. It's time for the charging vendors to come together, admit there is a problem, and start working on solutions and sharing threat data."

One potential roadblock is that EV chargers are under the purview of multiple regulatory agencies, such as the departments of Transportation, Energy, and Homeland Security. Getting them all to work cooperatively isn't going to be easy. "No one is taking leadership," Bou-Harb says. 

"A simple step that the government could take now would be to require SOC2 pending for EV charging providers. We need to raise the bar," EVPassport's Shahidi says. The SOC2 standard focuses on security controls and privacy, among other items.  

**About the Author(s)**

Contributing Writer

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as cybersecurity, VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 35 years. He was the editor-in-chief of Network Computing print, Digital Landing.com, and Tom's Hardware.com. He has written two computer networking books and appeared on a number of TV and radio shows explaining technology concepts and trends. He regularly blogs at https://blog.strom.com, and is president of David Strom Inc.

EV Charging Stations Still Riddled With Cybersecurity Vulnerabilities

Azure Identity Library for .NET Information Disclosure Vulnerability

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-29992

**Azure Identity Library for .NET Information Disclosure Vulnerability**

Moderate severity GitHub Reviewed Published Apr 9, 2024 to the GitHub Advisory Database • Updated Apr 11, 2024

**Package**

nuget Azure.Identity (NuGet)

**Affected versions**

< 1.11.0

**Description**

Published to the GitHub Advisory Database

Apr 9, 2024

Last updated

Apr 11, 2024

GHSA-wvxc-855f-jvrv: Azure Identity Library for .NET Information Disclosure Vulnerability

Improper Input Validation vulnerability in Apache Zeppelin.

The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-31867

**Apache Zeppelin: LDAP search filter query Injection Vulnerability**

Moderate severity GitHub Reviewed Published Apr 9, 2024 to the GitHub Advisory Database • Updated Apr 10, 2024

**Package**

maven org.apache.zeppelin:zeppelin-server (Maven)

**Affected versions**

\>= 0.8.2, < 0.11.1

**Description**

Published to the GitHub Advisory Database

Apr 9, 2024

Last updated

Apr 10, 2024

GHSA-qmr3-52xf-wmhx: Apache Zeppelin: LDAP search filter query Injection Vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin.

The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-31864

**Apache Zeppelin remote code execution by adding malicious JDBC connection string**

Critical severity GitHub Reviewed Published Apr 9, 2024 to the GitHub Advisory Database • Updated Apr 11, 2024

**Package**

maven org.apache.zeppelin:zeppelin-jdbc (Maven)

**Affected versions**

< 0.11.1

**Description**

Published to the GitHub Advisory Database

Apr 9, 2024

Last updated

Apr 11, 2024

GHSA-66j8-c83m-gj5f: Apache Zeppelin remote code execution by adding malicious JDBC connection string

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.

Attackers can modify `helium.json` and perform cross-site scripting attacks on normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-31868

**Apache Zeppelin vulnerable to cross-site scripting in the helium module**

Moderate severity GitHub Reviewed Published Apr 9, 2024 to the GitHub Advisory Database • Updated Apr 11, 2024

**Package**

maven org.apache.zeppelin:zeppelin-interpreter (Maven)

**Affected versions**

\>= 0.8.2, < 0.11.1

**Description**

Published to the GitHub Advisory Database

Apr 9, 2024

Last updated

Apr 11, 2024

GHSA-rrvf-5w4r-3x7v: Apache Zeppelin vulnerable to cross-site scripting in the helium module

Improper Input Validation vulnerability in Apache Zeppelin.

The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges.

This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-31865

**Apache Zeppelin: Cron arbitrary user impersonation with improper privileges**

Moderate severity GitHub Reviewed Published Apr 9, 2024 to the GitHub Advisory Database • Updated Apr 10, 2024

**Package**

maven org.apache.zeppelin:zeppelin-server (Maven)

**Affected versions**

\>= 0.8.2, < 0.11.1

**Description**

Published to the GitHub Advisory Database

Apr 9, 2024

Last updated

Apr 10, 2024

GHSA-g44m-x5h7-fr5q: Apache Zeppelin: Cron arbitrary user impersonation with improper privileges

By Owais Sultan
WordPress, a widely used content management system, owes a great deal of its flexibility to plugins. These small…
This is a post from HackRead.com Read the original post: The Essential Tools and Plugins for WordPress Development

WordPress, a widely used content management system, owes a great deal of its flexibility to plugins. These small software components effortlessly improve the functionality of your website. Having the right resources and tools is crucial for developers venturing into WordPress development services. Let’s explore the essential elements that can facilitate and enhance your journey in this field.

****Essential Tools for WordPress Development****

WordPress powers millions of websites worldwide (472 million), from personal blogs to enterprise-level e-commerce platforms. Developers face challenges in such a diverse ecosystem, from writing clean and efficient code to ensuring seamless website deployment and maintenance. The right tools act as enablers, empowering developers to navigate these challenges easily and precisely.

****Code Editors****

Choosing a suitable code editor is akin to selecting the right brush for an artist. Versatile editors like Visual Studio Code or Sublime Text provide many features such as syntax highlighting, auto-completion, and Git integration. These features enhance productivity and foster a conducive environment for writing clean, maintainable code.

****Local Development Environments****

Developing and testing WordPress websites on a live server can be risky and inefficient. Local development environments, facilitated by tools like XAMPP, MAMP, or Docker, provide a safe and controlled environment for experimentation and iteration. Developers can test new features, plugins, and themes without fearing disrupting the live website, ensuring a seamless user experience upon deployment.

****Version Control Systems****

Version control systems like Git are the backbone of efficient teamwork in a collaborative development environment. Paired with platforms like GitHub or Bitbucket, these systems enable developers to manage code changes seamlessly, collaborate with team members in real time, and maintain a comprehensive project history. This fosters a cohesive and organized development environment, ensuring everyone is on the same page throughout the development lifecycle.

****Debugging Tools****

No code is perfect, and debugging is inevitable in the development process. Specialized debugging tools like Query Monitor or Debug Bar provide developers with invaluable insights into the inner workings of their WordPress projects. These tools are indispensable for maintaining a robust and efficient website, from identifying and troubleshooting issues to monitoring performance and optimizing the codebase.

****Must-Have Plugins for WordPress Development****

WordPress’s flexibility and extensibility are key factors contributing to its popularity among developers worldwide. However, the sheer volume of available plugins can be overwhelming, making it essential for developers to discern and integrate the most suitable ones into their projects. Here’s why selecting the right plugins is imperative for effective WordPress development:

****SEO Plugins****

Optimizing websites for search engines is essential for driving organic traffic and enhancing visibility. SEO plugins like Yoast SEO or Rank Math provide developers with robust tools to optimize their WordPress sites effectively. Features such as XML sitemap generation, meta tag optimization, and comprehensive content analysis empower developers to bolster their site’s visibility and relevance in search engine results, increasing organic traffic and user engagement.

****Performance Optimization Plugins****

User experience is paramount in retaining visitors and fostering engagement on WordPress websites. Performance optimization plugins such as WP Rocket or W3 Total Cache offer many optimization features to improve site speed and performance. From caching mechanisms to asset minification and lazy loading, these plugins ensure a snappier and more responsive user experience, leading to higher user satisfaction and retention.

****Security Plugins****

Protecting WordPress websites against security threats is a top priority for developers. Security plugins like Wordfence or Sucuri Security fortify the site’s defences with features such as firewall protection, malware scanning, and enhanced login security. By implementing these plugins, developers can ensure peace of mind against potential threats and vulnerabilities, safeguarding their websites and user data from malicious attacks.

****Development & Debugging Plugins****

Efficient development workflows are essential for maintaining productivity and delivering high-quality WordPress projects. Development and debugging plugins such as Query Monitor or Debug Bar streamline debugging and optimization by providing critical insights into database queries, PHP errors, and HTTP requests. By leveraging these plugins, developers can identify and address issues swiftly, ensuring the seamless operation of WordPress projects and minimizing development time.

****Elevate Your WordPress Development Experience****

Integrating these indispensable tools and plugins into your WordPress development arsenal empowers you to transcend boundaries, streamline processes, and unlock the full potential of your projects. By staying abreast of the latest advancements in the WordPress ecosystem, you can continually refine and optimize your development practices, fostering innovation and excellence in your endeavours.

1.  What To Look For In The Best WordPress Hosting
2.  What is WooCommerce, and Why You Should Care
3.  Kotlin app development company – How to choose
4.  Tips for Using Uploader Widgets on WordPress Blogs
5.  MySQL Performance Tuning: 5 Tips for Blazing Fast Queries

The Essential Tools and Plugins for WordPress Development

By Uzair Amir
0G Labs is pleased to unveil the launch of the testnet for 0G, the modular ultra-high data throughput…
This is a post from HackRead.com Read the original post: 0G Launches Newton Testnet of Ultra-Scalable Modular AI Blockchain

0G Labs is pleased to unveil the launch of the testnet for 0G, the modular ultra-high data throughput blockchain optimized for on-chain AI. The network is now available for node operators, developers and the community to join and provide feedback for an upcoming mainnet launch in Q3 2024.

0G, or ZeroGravity, is a modular blockchain that aims to alleviate the major pain points of using blockchain for AI, where data and execution requirements outweigh the current market offering by several orders of magnitude. The modular architecture enables 0G to offer a lean and performant network, unencumbered by legacy consensus algorithms, unrelated use cases sharing the same block space, as well as on-demand scaling.

Demand for on-chain AI is growing due to its promise of offering reliable and credibly neutral training and execution of neural networks. According to a report by KPMG, the vast majority of global corporate executives see AI as one of the fundamental technology breakthroughs that will impact their business shortly. However, adoption risks abound — including potential intellectual property issues, personal data sharing, lack of regulatory frameworks and biases in generative AI models.

Via immutable and verifiable storage and execution environments, blockchains offer a promising solution to address the many challenges of AI. By making AI workflow decentralized, it democratizes the technology and makes it accessible to more people and organizations.

By distributing data across multiple nodes rather than centralizing it in a single location, decentralized AI can help protect sensitive information from hacks and breaches. It also enables fair distribution of rewards to the contributors in the entire workflow, e.g., to data, model, and computation power providers, respectively.

The distributed ledger and cryptographic technologies can further give more transparent ways to track the AI-generated data to help people distinguish between the authentic original data and deepfakes. In addition, blockchains can help achieve a balanced approach to manual interventions in the models’ results, which sometimes can miss the mark.

Existing infrastructure solutions are still insufficient for massive on-chain AI adoption, which is why 0G is building the next-generation blockchain infrastructure for AI. With benchmarks of over 50 Gbps data throughput, compared to existing rates of 1.5 Mbps on Ethereum-based scaling solutions, 0G offers an incredible improvement in its baseline form, while the modular architecture promises potentially infinite scalability down the line.

“The public launch of our testnet marks the first stage of bringing AI on-chain, which will combine two of the most exciting technologies that emerged in the past decade,” said Michael Heinrich, CEO of 0G Labs. “Our team has worked diligently over the past months to deliver our vision of the ultra-scalable modular blockchain, and we’re excited to see the feedback from the community of users and developers.”

The 0G testnet launch comes shortly after 0G Labs closed its $35M pre-seed round, which was originally intended to collect $5M to bring an MVP of the idea to market. The round, led by Hack VC, saw participation from many influential investors primarily in the Web3 space, including Bankless, Polygon, Delphi Digital, TRGC, Dao5, Symbolic, BlockChain Builders Fund, Dispersion, Daedalus, Gumi Cryptos and many more venture funds and angel investors.

****About 0G****

0G, or ZeroGravity, is a leading Web3 infrastructure provider that is building the leading modular AI blockchain creating solutions to implement on-chain AI applications in the Web3 ecosystem. The platform achieves high data availability through its unique architecture separating data storage and data publishing. 

By ensuring throughputs of 50 GB/second, a full 50,000x faster than competitors, and a cost that is 100x lower, 0G has positioned itself as a leader in bringing high data use cases, such as scalable L2s and modular AI, into the Web3 ecosystem.

1.  Owning Versus Renting – The Circumstances of Web3 Domains
2.  5 Best Crypto Marketing Agencies for Web3 Security Brands in 2024
3.  Blockchain Networks Using API Security Data to Mitigate Web3 Threats

0G Launches Newton Testnet of Ultra-Scalable Modular AI Blockchain

We are potentially encroaching on a water supply crisis if data center operators, utilities, and the government don't implement preventative measures now.

Mark Trump, IT/IoT Defense Adviser, Cybersecurity Center of Excellence, Capgemini

April 9, 2024

5 Min Read

Source: stockphoto-graf via Alamy Stock Photo

COMMENTARY

In our digitally driven world, data has become an invaluable asset to companies across sectors. Data enables intelligent products, services, and operations. Data is also the unsung hero in today's "age of AI." By 2030, the AI market will be worth more than $1.3 billion in revenue — growing 36.8% from 2023's market size of $150.2 billion, and data is arguably the catalyzer driving this immense growth.

**The Current State of Data Centers**

Data is not just an intangible asset that's stored in the virtual ether of "the cloud." In reality, data, and data storage, is very much tied to the physical world. With the increasing introduction of artificial intelligence models, more data will be needed, and therefore stored in data centers.

These centers allow for data to be kept secure, accurate, available, and, for all practical purposes, "alive." Using switches, storage systems, servers, routers, and other equipment, data centers can store essential data sets around the clock. However, the extreme warmth produced by the energy used to process and store data causes overheating concerns. Data centers therefore require energy-intensive cooling systems to ensure the equipment does not fail. Such failures can lead to data losses, and vital workload and service outages — which occurred at a major tech company's Australian-based data center when a regional utility's power outage shut down the center's cooling mechanism. 

Unfortunately, cooling comes at a steep price, accounting for nearly 40% of an average data center's electricity usage. Many operators recognize the strain traditional air-based cooling methods put on its finances and net-zero pledges, which is why some are opting for liquid cooling systems. Although liquid cooling is technically more energy efficient than air cooling, it can still negatively impact the environment — and opens other door for potential outages. 

**Data's Dependence on Water**

When we say "liquid" cooling systems, we're actually referring to water in most cases. Just like living beings, data needs water to survive — and, therefore, so do AI models, software, and countless other technologies that rely on data.

Most data centers in the United States use freshwater supplied by utilities — the same water supply that humans rely on. The average data center uses 1 million to 5 million gallons of water a day (paywalled article), and considering that 30% of the world's data centers are located in America, that means Americans are losing access to a significant amount of safe drinking water. 

The US is already experiencing alarming water shortages as a result of low precipitation fueled by climate change and increased demand from a growing population. Now, add the increased demand from data centers as operators try to cool facilities overrun with AI-associated data, and America could experience a water crisis.

To make matters worse, the American water supply is facing an additional threat: cybersecurity attacks. Bad actors are increasingly targeting US water infrastructure. The main concern is the health and safety of Americans, but these attacks also threaten data centers — and the technology that depend on data. Hackers have historically targeted cooling systems, and they will undoubtedly continue to do so by finding weak points in data centers' water infrastructure, as well as security gaps in the regional water utilities that serve data centers across the US.

**Two-Pronged Approach: Sustainability and Security**

So, how can data center operators effectively store data that is essential to the booming AI market and virtually every aspect of the digital world while limiting their water consumption and protecting their water infrastructure? 

From an environmental standpoint, it will mean utilizing other water sources beyond freshwater provided by American utilities. Some operators are exploring the use of wastewater, industrial water, and seawater to lessen their strain on the United States' depleting freshwater supply. Improving liquid cooling system monitoring tools to track water consumption is also key. And companies are wisely utilizing federal funds to explore efficient cooling options and should continue partnering with the public sector moving forward.

What's more, operators should consider introducing new liquid cooling systems entirely, as there are now more advanced designs that use less water. And as new data centers become necessary — which we know they will — companies should consider building these facilities in cooler climates as well as in areas with water basins that are not overstrained. 

From a cybersecurity standpoint, many operators will have to prioritize defensive measures that specifically protect water infrastructure — which arguably has not been a key security prerogative in previous years. This will require a strategic reset in which leaders identify water, energy, and other external dependencies and extend risk assessments to environmental and other resources beyond the "logistics-based supply chain" that could interrupt business or operations. If enterprises have not done so already, then they should also apply zero-trust principles to all water-based infrastructure that they are dependent upon. 

Organizations must prepare themselves for a variety of scenarios: What would happen if the data centers you rely on for business viability had a water shortage that forced a shut down? Does your crisis plan consider catastrophic loss of water, and therefore data? If water resources and infrastructure sit outside of your security programs, then chances are you could very well face these scenarios. 

To avoid such potential threats, keep in mind this simple mantra: Define. Protect. Defend. Assess your risk so you can mitigate it, and monitor and maintain your defenses.

That said, water utilities must also do their part to help prevent attacks that could severely impact critical data centers and compromise water supply. Experts point to a renewed focus on cyber resiliency through public-private partnerships, improved centralized patch management systems, risk assessments, and temporary controls to address immediate vulnerabilities in critical systems and legacy infrastructure.

**Change Is Needed Now **

Data center operators are faced with a considerable challenge. They must meet the demands of storing an astonishingly increasing quantity of data while utilizing a decreasing supply of water to cool their facilities. Business, technology, and sustainability leaders must work together to formulate strategies that not only protect the environment, but also protect their data.

There's no future for humans or the life-changing technology we've come to rely on without water. And make no mistake, we are potentially encroaching on a water supply crisis if data center operators, utilities, and the American government do not implement preventative measures now.

**About the Author(s)**

IT/IoT Defense Adviser, Cybersecurity Center of Excellence, Capgemini

Mark Trump is a physical security knowledge leader and defense adviser. He has more than 35 years’ experience with advanced technologies, cybersecurity and application of best defensive practices across industrial, commercial, governmental and defense industries specializing in cybersecurity modernizations for critical infrastructure and operational technologies OT/IoT and other infrastructure critical to business and safety.

Why Liquid Cooling Systems Threaten Data Center Security &amp; Our Water Supply

The company is asking users to retire several network-attached storage (NAS) models to avoid compromise through a publicly available exploit that results in backdooring.

Source: Tiny Ivan via Alamy Stock Photo

A critical flaw in several end-of-life (EOL) models of D-Link network-attached storage (NAS) devices can allow attackers to backdoor the device and gain access to sensitive information, among other nefarious activities.

More than 92,000 devices currently connected to the Internet are affected by a flaw tracked as CVE-2024-3273 in D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, according to D-Link. As a result, the company is asking customers to sunset any and all affected devices, which will remain vulnerable as the devices no longer receive updates or support from the vendor.

A researcher who goes by the online name "netsecfish" identified the flaw and detailed it on GitHub and subsequently informed D-Link about it, which released its own advisory. The researcher also released an exploit for the flaw, in which attackers already are showing interest, according to a post on X (formerly Twitter) by Shadowserver.

"We have started to see scans/exploits from multiple IPs for CVE-2024-3273," according to the post. "This involves chaining of a backdoor and command injection to achieve RCE."

Flaws in NAS devices are serious business, as exploiting them has great potential to affect not only the device itself but myriad devices that connect to it, posing a dangerous threat that can expose enterprise networks to risk.

**Data Theft, Denial of Service & More**

The vulnerability exists in the nas\_sharing.cgi CGI script, leading to backdooring through username and password exposure as well as command injection through the system parameter, explained netsecfish.

"Affected is an unknown function of the file /cgi-bin/nas\_sharing.cgi of the component HTTP GET Request Handler," according to the listing for the flaw in the National Institute of Standards and Technology's (NIST's) National Vulnerability Database. "The manipulation of the argument system leads to command injection."

To get more granular, in terms of username and password exposure, the problem lies in the request, which "includes parameters for a username (user=messagebus) and an empty password field (passwd=)," according to netsecfish. "This indicates a backdoor allowing unauthorized access without proper authentication."

For command injection, attackers can exploit the "system" parameter within the request, "which carries a base64 encoded value that, when decoded, appears to be a command," according to netsecfish.

Attackers can chain the two issues together to obtain arbitrary command execution on the affected D-Link NAS devices, granting attackers potential access to sensitive information, system configuration alteration, or denial of service.

Netsecfish's exploit entails crafting malicious HTTP requests by preparing an HTTP GET request–GET /cgi-bin/nas\_sharing.cgi?user=messagebus&passwd=&cmd=15&system=<BASE64\_ENCODED\_COMMAND\_TO\_BE\_EXECUTED>–targeting the /cgi-bin/nas\_sharing.cgi endpoint.

**Replace & Retire Vulnerable D-Link Devices**

A report published last year found that companies in every industry continue to leave backup and storage platforms unsecured, making it crucial for them to ensure cybercriminals can't exploit vulnerable ones to enter corporate networks.

With no forthcoming patch for CVE-2024-3273, the only true remedy is not to use affected devices at all, so anyone with one still connected to a network should retire and replace the product immediately, according to D-Link. A complete list of devices can be found in D-Link's advisory.

Indeed, the company remained adamant that it has no plans to support or update the affected products as per its typical device EOL strategy. "Regardless of product type or sales channel, D-Link's general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease," according to D-Link.

If consumers in the US continue to use the device against the company's recommendation, they should "please make sure the device has the last know firmware," which can be located on a Legacy Website links included in the advisory, according to D-Link.

Anyone who wants to continue using the device also should ensure frequent updating of the device's unique password to access its Web configuration, as well enable Wi-Fi encryption with a unique password.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#git