Millions of IoT Devices Open to Attack Due to Security Flaws

Forescout Research Labs and JSOF researchers have discovered nine security flaws in four commonly used TCP/IP stacks that make 100+ million devices vulnerable to attack. The set of flaws, dubbed Name:Wreck, mainly impact Internet of Things (IoT) products and IT management servers. The TCP/IP stacks that integrate network communication protocols to connect devices and the Internet are found in operating systems such as the open-source FreeBSD and Siemens’ Nucleus NET. An attacker could crash a device, take it offline or gain control of it.

Wired reports that, “all of the vulnerabilities … now have patches available, but that doesn’t necessarily translate to fixes in actual devices, which often run older software versions.” Device manufacturers either haven’t created the mechanism to update the code or “don’t manufacture the component it’s running on and simply don’t have control of the mechanism.”

Forescout vice president of research Elisa Costante reported the company has “analyzed more than 15 TCP/IP stacks both proprietary and open source and we’ve found that there’s no real difference in quality.” Those commonalities, she added, are “helpful, because we’ve found they have similar weak spots.” There is no evidence — yet — that “attackers are actively exploiting these types of vulnerabilities in the wild.”

Siemens USA chief cybersecurity officer Kurt John said his company “works closely with governments and industry partners to mitigate vulnerabilities,” and in this case worked with Forescout as well as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and “other vulnerability-tracking groups.”

Wired notes that, “issues show up so often in these ubiquitous network protocols because they’ve largely been passed down untouched through decades as the technology around them evolves.”

“For better or worse, these devices have code in them that people wrote 20 years ago — with the security mentality of 20 years ago,” said IoT security firm Red Balloon Security chief executive Ang Cui. Open Crypto Audit Project co-director Kenn White added that, “there are lots of examples of unintentionally recreating these low-level network bugs from the ‘90s.”

Good news, according to Costante, is that “exploitation activity would be fairly predictable, making it easier to detect attempts to take advantage of these flaws.” That company “has released an open source script that network managers can use to identify potentially vulnerable IoT devices and servers in their environments … [and] also maintains an open source library of database queries that researchers and developers can use to find similar DNS-related vulnerabilities more easily.”

TechSpot reports that the implications of these security flaws “could be catastrophic for critical systems like those used in healthcare, manufacturing, or government networks.” Forescout’s open-source script is designed to “help administrators track down vulnerable IoT devices and servers on the network.”

The researchers also noted that, “these are just nine flaws out of the 15 TCP/IP stacks they analyzed … [and] there could be many more, but it will take time to identify them.” Until then, “Forescout recommends limiting such equipment from connecting directly to the Internet as much as possible.”

Related:
Synopsys: 84% of Codebases Contain an Open Source Vulnerability, VentureBeat, 4/13/21
A Casino Gets Hacked Through a Fish-Tank Thermometer, Entrepreneur, 4/14/21
How (and Why) Cyber Specialists Hacked a North American Utility’s Smart Meter, CyberScoop, 4/16/21