Welcome to Digi’s Security Center, where we will strive to make this your one stop location for all the security news, information and resources related to our products and services.
MAR 3, 2017Practical exploits to SHA1 hashing has now been discovered
Although we have been migrating our products use of SHA1 for the last few years, we are re-evaluating our products for any remaining SHA1 hash use. We anticipate that future releases will remove the SHA1 hash use, and move to the stronger SHA3, or SHA2 routines respectively. Learn MoreNOV 10, 2016OpenSSL - New Security Release 1.1.0c
We are still reviewing the impact of this on our devices. we believe that this will not have any impact for Digi, as we use the OpenSSL long term support (LTS) version of Openssl v1.0.2 in our products, and not v1.1.0. OCT 21, 2016Dirty COW - (CVE-2016-5195)
We are in the process of fully testing our products against this vulnerability. Currently, we have found a few devices that are slightly impacted. However, due to the product type, there is no way to effectively exploit the devices with this vulnerability. OCT 01, 2016Mirai Botnet Impact Investigations
At this time, we have reviewed this, and we are not aware of any of our devices that can be compromized by this Botnet. We are continuing to monitor this in case this changes in the future.
MAY 3, 2017Evaluation of Security Vulnerability VU#561444
Expanded info on CVE-2014-9222, CVE-2014-9223
Many Digi products contain and use the RomPager by Allegrosoft web server technology. It has come to our attention that this embedded web server, which is used for management of our devices contains what we have defined as a critical vulnerability. We urge any customer who may have one of these products where the administrative webserver is available on non-secure networks to either upgrade the firmware to a patched version or to disable the web server for management of these devices. Learn more
With global scalability, certifications, and compliance, Digi has developed Digi TrustFence™, a security framework along with a series of best practices making our approach to security stand apart in the marketplace, including:
A dedicated security office ensuring that security best practices are incorporated into the engineering design process. Our approach incorporates accepted guidelines and processes that take into consideration product design and testing such as those defined by the American Society for Quality/ Failure Mode Effects Analysis; iSixSigma/DFMEA; ISO9001 SDLC, Penetration Testing Execution Standard and OWASP; as well as emerging standards such as the Online Trust Alliance (OTA). Additionally, we are active participants in established standards bodies including the ZigBee® Alliance, Thread Group, and the SunSpec Alliance, and are members of established organizations such as the Center for Internet Security.
Our standalone security lab tests our products in a variety of ways, including vulnerability analysis and penetration testing. Our skilled testing staff has received certification from leading security bodies including (ISC)2, EC-Council – Licensed Pen Tester (LPT/ECSA/CEH), and in Six Sigma capabilities. In addition, we go beyond general information technology certifications to offer industry expertise in certifications that apply to specific markets, such as energy, government, medical, industrial, retail, transportation and more.
Our dedicated security team regularly collaborates with product and engineering teams on key security issues. In the design process we take a systematic security approach – encompassing design, software, physical attributes and more – making security part of the product lifecycle. We also involve our customers and partners in the process to ensure a real-life approach that tests security within actual deployment environments.
By providing ongoing threat measurement and monitoring services as well as performing internal and external security audits on a regular basis, we ensure our cloud platform offers up-to-date security patches, and provide ongoing proactive communication regarding upcoming threats. Our cloud platforms conform to the latest security frameworks, like ISO27001, and have acquired a PCI Report on Compliance as a managed service provider.
Contact us for more information