The National Cyber Security Centre Finland’s weekly review – 15/2024

Topics covered in this week’s review

1. Over 6,000 TVs in Finland vulnerable to cyber threats
2. Recording of the Tietoturva 2024 information security seminar now available
3. How to prepare for the cyber security risk management requirements of the NIS2 Directive
4. Provide feedback about our website!
5. Recently reported scams
6. Appearance of the NCSC-FI’s vulnerability bulletins updated

Over 6,000 TVs in Finland vulnerable to cyber threats

We recommend that you always update the software and firmware of all of your internet-connected devices to the latest versions and enable automatic updates. This will ensure the timely installation of the updates that manufacturers are constantly releasing, which not only improve product features, but often improve information security as well. As we keep amassing more and more internet-connected home devices, it is easy to forget to keep them all updated.

Information security company Bitdefender recently published an article (Ulkoinen linkki) (External link) about vulnerabilities identified in the LG WebOS TV operating system. The organisation reports that by exploiting these vulnerabilities, they were able to gain root access to the tested LG televisions. Although the vulnerable service is intended for LAN access only, over 90,000 devices that expose this service to the internet have been identified. Of these devices, over 6,000 are located in Finland. The NCSC-FI recommends that all owners of LG televisions update their devices to the latest OS versions, which fix the vulnerabilities in question. You can usually download updates via the device’s settings menu. While not all of the 6,000 devices are vulnerable, the case highlights the importance of taking care of the information security of internet-connected devices.

List of vulnerable LG WebOS versions:

• webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA televisions
• webOS 5.5.0 - 04.50.51 running on OLED55CXPUA televisions
• webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB televisions
• webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA televisions

Whenever you purchase a new device, you should always update its firmware and software to the latest versions during setup, as the manufacturer may have released updates between the device being released and you purchasing it. These updates are not installed automatically while the devices are sitting inside cardboard boxes in storage, so it is up to the user to install them.

The NCSC-FI has published instructions on how to improve the information security of home routers (External link). By following the tips provided in the instructions, you can make sure that your device has remote access disabled and its firewall enabled. You can also prevent your devices from being exposed to the internet by enabling NAT (Network Address Translation), and create a dedicated network for IoT (Internet of Things) devices so that your remote work devices and home smart devices are on different networks, ensuring that potentially vulnerable smart devices are not on the same network.

Do also keep in mind that every manufacturer releases different fixes and updates for their devices and that LG is by no means the only manufacturer whose devices have vulnerabilities. The number of vulnerabilities that are publicly disclosed and issued a unique CVE ID each year is over 20,000. This figure is not the whole truth, however, as many shortcomings in the information security of products and services are fixed without ever being publicly disclosed.

Recording of the Tietoturva 2024 information security seminar now available 

The Tietoturva 2024 information security seminar organised by Traficom’s NCSC-FI and the National Emergency Supply Agency in mid-March attracted over 3,000 attendees. This year, the seminar focused especially on exploring the impacts of artificial intelligence and quantum technology on information security. The seminar also included the award ceremony of this year’s Information Security Trailblazer award, which was given out to organisations engaging in cooperation to prevent scam calls and messages.

How to prepare for the cyber security risk management requirements of the NIS2 Directive

We have published a request for comments concerning Traficom’s draft recommendation for supervisory authorities regarding cyber security risk management measures based on the NIS2 Directive. The recommendation also supports the cyber security risk management planning of operators. The draft recommendation includes information and practical examples of what kinds of measures the statutory requirements may entail.

The draft recommendation presents basic-level information security practices describing the measures that organisations can take to protect themselves against the most common cyber threats. With these basic-level information security practices, operators – including ones outside the scope of application of the NIS2 Directive – can assess their cyber security maturity and improve their cyber security. 

Written comments can be submitted via the Lausuntopalvelu service until 31 May 2024 (in Finnish and Swedish).

Go to Lausuntopalvelu (External link) (External link)

Contribute to the development of our website

We are developing our website and would like to hear users’ thoughts on how we could improve the ways in which we provide information and guidance on everyday information security matters. You can contribute by responding to a short questionnaire or registering your participation in a usability study.

Read more and respond to the questionnaire (in Finnish) (External link)

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.

The appearance of the NCSC-FI’s vulnerability bulletins has been updated

The appearance of the vulnerability bulletins published by the NCSC-FI  (External link)has been updated to make the bulletins more flexible. The change applies to new vulnerability bulletins published from 11 April onwards.