The ‘thing’ now with the internet of things (IoT) products is that its vulnerabilities can put millions and in fact billions of devices at risk. Just recently research from Forescout, the IoT security firm shows that about 33 flaws in open-source internet protocol bundles can make a massive number of devices vulnerable to attacks like a total takeover, denial of service, and information interception.
What happens is this the devices affected by these attacks run a gamut: barcode readers, smart home sensors and lights, enterprise network equipment, industrial control equipment, and building automation systems.
Now the ‘thing’ is they are very difficult to tackle in terms of patching and goes on to pose a serious risk which the attackers can use to their advantage to gain access to a wide range of networks.
According to the sources, researchers from Forescout at the Black Hat Europe security conference talked about the vulnerabilities found in an array of network communication protocols that broker connections between networks and devices like the internet as well as in seven open-source TCP/IP stacks.
The firm estimates that there are millions of devices belonging to 150 vendors which contain a set of vulnerabilities collectively known as Amnesia:33.
Interestingly, all of these seven stacks are open source and have been republished in many types after modification. In fact, two of these have been around since 2013 whereas three have been around for a period of as much as 20 years.
So what that means is many forms, variations, and versions of every stack have been existing. The catch here is that they have persisted without any authority to patch them.
Now, look the ‘thing’ with the patch is that even if manufacturers get a ‘magical’ code to fix this problem then they would require a patch for every version, apply it and then go on to distribute it to other users.
Forescout’s vice president of research, Elisa Constante has voiced her concerns, “What scares me the most is that it’s very difficult to understand how big the impact is and how many more vulnerable devices are out there.” Furthermore, she thinks, “these vulnerable stacks are open source, so everybody can take them and use them and you can document it or not. The 150 we have so far are the ones we could find that were documented. But I’m sure there are tons and tons of other vulnerable devices that we just don’t know about yet.”
Well, disappointingly enough even the device makers cannot be of help in this regard. That is because numerous vendors get basic functionalities from third-parties like the TCP/IP stack from the “systems on a chip” obtained from third-party silicon makers. It means that they need to be involved in patch delivery too.
Red Balloon Security’s CEO and IoT hacker, Ang Cui says that “These situations are just such a ridiculous mess, I don’t know what else to say about it.” “You can say, ‘Well IoT security is bad, it’s not a surprise.’ She added. Only a set of robust security products can help secure information and prevent attackers from breaking into networks and manipulating them to achieve their ends.
Amnesia:33 is an umbrella term for the “memory corruption” flaws allowing an attacker to exploit the data by exfiltrating information, reading data, taking control, and crashing the device.
Too dark and depressing!
HOWEVER, there’s one thing that should be noted that Amnesia:33 vulnerabilities can only occur in embedded devices and not in personal servers, computers, or smartphones. Happy?
The challenge remains for most organizations and people regarding the determination of vulnerability of IoT devices. Applying fixes is another thing. Costante from Forescout says that they will have to live with these vulnerabilities without being patched.