Yes, at this point it's a cliché that cheap, generic internet-of-things products can harbor vulnerabilities that potentially expose millions or even billions of devices. And yet it's no less urgent each time. Now, new research from the IoT security firm Forescout highlights 33 flaws in an open source internet protocol bundles that potentially expose millions of embedded devices to attacks like information interception, denial of service, and total takeover. The affected devices run the gamut: smart home sensors and lights, barcode readers, enterprise network equipment, building automation systems, and even industrial control equipment. They're difficult if not impossible to patch—and introduce real risk that attackers could exploit these flaws as a first step into a vast array of networks.
At the Black Hat Europe security conference on Wednesday, Forescout researchers will detail the vulnerabilities found in seven open source TCP/IP stacks, the collection of network communication protocols that broker connections between devices and networks like the internet. The group estimates that millions of devices from more than 150 vendors likely contain the vulnerabilities, which they collectively call Amnesia:33.
The seven stacks are all open source and have been modified and republished in many forms. Five of the seven have been around for nearly 20 years, and two have circulated since 2013. That longevity means that there are many versions and variations of each stack out there with no central authority to issue patches. And even if there were, manufacturers who have incorporated the code into their products would need to proactively adopt the correct patch for their version and implementation, then distribute it to users.
"What scares me the most is that it’s very difficult to understand how big the impact is and how many more vulnerable devices are out there," says Elisa Costante, vice president of research at Forescout. "These vulnerable stacks are open source, so everybody can take them and use them and you can document it or not. The 150 we have so far are the ones we could find that were documented. But I'm sure there are tons and tons of other vulnerable devices that we just don't know about yet."
Even worse, in many cases it wouldn't actually be feasible for device makers themselves to push patches even if they wanted to or could. Many vendors get basic functionality like the TCP/IP stack from the "systems on a chip" provided by third-party silicon makers, who would need to be involved in a fix as well. And it's far from a given that many of these parties would even have a way to deliver a patch. In some instances, for example, Forescout researchers found that vulnerabilities in a diverse array of devices could all be traced to one systems-on-a-chip maker that went bankrupt and is no longer in business.
"These situations are just such a ridiculous mess, I don't know what else to say about it," says Ang Cui, a longtime IoT hacker and CEO of the embedded security firm Red Balloon Security. "You can say, 'Well IoT security is bad, it's not a surprise.' But there's a real cumulative risk with each of these types of big, systemic revelations, and it may feel like a big surprise to most people when attackers come along and start actually exploiting them. We need to do better on securing these products."
Many of the vulnerabilities the Forescout researchers found are basic programming oversights, like a lack of so-called input validation checks that keep a system from accepting problematic values or operations. Think about a calculator that produces an error when you try to divide by zero instead of crashing from the strain of trying to figure out how to do it. Many of the bugs are "memory corruption" flaws—hence the name Amnesia:33—that allow an attacker to read data from a device's memory or add data to it such that they can exfiltrate information, crash the device at will, or take control. Some of the vulnerabilities also relate to internet connectivity mechanisms. like how the stack handles domain-name-system records and internet protocol addressing like IPv4 and the more recent IPv6.
Since the TCP/IP stack is so fundamental and involves internet and other network connectivity, the vulnerabilities potentially expose a host of information to attackers and could be exploited as a stepping stone toward infiltrating corporate or industrial networks. At least four of the vulnerabilities can be exploited for remote device takeover.
Because it's not clear how the bugs can be patched in most cases, Forescout has chosen not to publicly detail which devices are affected. In an effort to raise industry awareness about the vulnerabilities, though, numerous agencies worldwide including the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CERT Coordination Center, German Federal Office for Information Security, and Japanese JPCERT Coordination Center are releasing alerts about the vulnerabilities on Tuesday.
One bright spot in the findings is that only embedded devices—not personal computers, smartphones, servers, and so on—are vulnerable to the specific group of Amnesia:33 vulnerabilities. The challenge, though, is that most people and organizations can do little to even determine whether their IoT devices are vulnerable, much less apply fixes. IT administrators should patch as many devices as possible as often as possible, knowing the scope of devices connected to a given network, monitoring traffic patterns to spot suspicious activity, and segmenting networks so one compromised device can't give attackers keys to the whole kingdom. Forescout is also launching a program called Project Memoria to track TCP/IP stack vulnerabilities and work on coordinated disclosure worldwide.
For now, though, vulnerabilities like Amnesia:33 are more a chronic condition to manage than an acute illness with a ready cure. "This is just the tip of the iceberg," says Forescout's Costante. "We need to accept that we will live with some of these vulnerabilities not being patched."