Yes, to that it’s a cliché that cheap generic IoT products can port vulnerabilities that potentially exposes millions or even billions of devices. And yet, it is no less urgent each time. Now, a new study from IoT security company Forescout highlights 33 flaws in an open source Internet protocol that potentially exposes millions of on-board devices to attacks such as information interception, denial of service and total takeover. Affected devices run the gamut: smart home lighting and sensors, barcode readers, corporate network equipment, building automation systems and even industrial control equipment. They are difficult, if not impossible, to fix, and present a real risk that attackers could exploit these flaws as a first step across a wide range of networks.
At Black Hat Europe’s security conference on Wednesday, Forescout researchers will detail the vulnerabilities found in seven open source “TCP / IP stacks,” the collection of network communication protocols that negotiate connections between devices and networks like Internet. The group estimates that millions of devices from more than 150 vendors likely contain the vulnerabilities, which they collectively call Amnesia: 33.
The seven stacks are all open source and have been modified and republished in many forms. Five of the seven have been around for nearly 20 years, and two have been around since 2013. This longevity means there are many versions and variations of each stack without a central authority to issue patches. And even if there were, manufacturers who incorporated the code into their products should proactively adopt the correct fix for their version and implementation, and then distribute it to users.
“What scares me the most is that it’s very difficult to understand the scale of the impact and the number of more vulnerable devices,” says Elisa Costante, vice president of research at Forescout. “These vulnerable stacks are open source so anyone can take and use them and you can document them or not. The 150 we have so far are the ones we could find that have been documented. But I am. sure there are tons and tons of other vulnerable devices that we don’t know about yet. “
Worse yet, in many cases, it wouldn’t be possible for the device makers themselves to come up with fixes, even if they wanted to or could. Many vendors get basic functionality like the TCP / IP stack from “systems-on-a-chip” provided by third-party silicon manufacturers, which should also be involved in a patch. And it’s far from certain that many of these parts would even have a way to provide a fix. In some cases, for example, Forescout researchers have found that vulnerabilities across a wide range of devices can all be attributed to an SoC manufacturer that has gone bankrupt and is no longer in business.
“These situations are such a ridiculous mess, I don’t know what else to say about it,” says Ang Cui, a longtime hacker and CEO of integrated security firm Red Balloon Security. “You can say IoT security is bad, whatever. But there’s a real cumulative risk with each of these types of big systemic disclosures. We have to do better to design these products.”
Most of the vulnerabilities discovered by Forescout researchers are basic programming oversights, such as a lack of input validation checks that prevent a system from accepting problematic values or operations. Think of a calculator that produces an error when you try to divide by zero instead of crashing out from the effort of trying to figure out how to do it. Most bugs are “memory corruption” vulnerabilities – hence the name Amnesia: 33 – that allow an attacker to read data from or append data to a device’s memory in order to that he can exfiltrate information, crash the device at will or take control. Some of the vulnerabilities are also related to internet connectivity mechanisms such as the way the stack handles domain name system records and internet protocol addressing such as IPv4 and the newer IPv6.