Over the last few years, researchers have found a shocking number of vulnerabilities in seemingly basic code that underpins how devices communicate with the internet. Now a new set of nine such vulnerabilities are exposing an estimated 100 million devices worldwide, including an array of internet-of-things products and IT management servers. The larger question researchers are scrambling to answer, though, is how to spur substantive changes—and implement effective defenses—as more and more of these types of vulnerabilities pile up.
Dubbed Name:Wreck, the newly disclosed flaws are in four ubiquitous TCP/IP stacks, code that integrates network communication protocols to establish connections between devices and the internet. The vulnerabilities, present in operating systems like the open source project FreeBSD, as well as Nucleus NET from the industrial control firm Siemens, all relate to how these stacks implement the “Domain Name System” internet phone book. They all would allow an attacker to either crash a device and take it offline or gain control of it remotely. Both of these attacks could potentially wreak havoc in a network, especially in critical infrastructure, health care, or manufacturing settings where infiltrating a connected device or IT server can disrupt a whole system or serve as a valuable jumping-off point for burrowing deeper into a victim’s network.
All of the vulnerabilities, discovered by researchers at the security firms Forescout and JSOF, now have patches available, but that doesn’t necessarily translate to fixes in actual devices, which often run older software versions. Sometimes manufacturers haven’t created mechanisms to update this code, but in other situations they don’t manufacture the component it’s running on and simply don’t have control of the mechanism.
“With all these findings I know it can seem like we’re just bringing problems to the table, but we’re really trying to raise awareness, work with the community, and figure out ways to address it,” says Elisa Costante, vice president of research at Forescout, which has done other, similar research through an effort it calls Project Memoria. “We’ve analyzed more than 15 TCP/IP stacks both proprietary and open source and we’ve found that there’s no real difference in quality. But these commonalities are also helpful, because we’ve found they have similar weak spots. When we analyze a new stack we can go and look at these same places and share those common problems with other researchers as well as developers.”
The researchers haven’t seen evidence yet that attackers are actively exploiting these types of vulnerabilities in the wild. But with hundreds of millions—perhaps billions—of devices potentially impacted across numerous different findings, the exposure is significant.
Siemens chief cybersecurity officer Kurt John told WIRED in a statement that the company “works closely with governments and industry partners to mitigate vulnerabilities … In this case we’re happy to have collaborated with one such partner, Forescout, to quickly identify and mitigate the vulnerability.”
The researchers coordinated disclosure of the flaws with developers releasing patches, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and other vulnerability-tracking groups. Similar flaws found by Forescout and JSOF in other proprietary and open source TCP/IP stacks have already been found to expose hundreds of millions or even possibly billions of devices worldwide.
Issues show up so often in these ubiquitous network protocols because they’ve largely been passed down untouched through decades as the technology around them evolves. Essentially, since it ain’t broke, no one fixes it.
“For better or worse, these devices have code in them that people wrote 20 years ago—with the security mentality of 20 years ago,” says Ang Cui, CEO of the IoT security firm Red Balloon Security. “And it works; it never failed. But once you connect that to the internet, it’s insecure. And that’s not that surprising, given that we’ve had to really rethink how we do security for general-purpose computers over those 20 years.”