Yes, at this point it’s a cliche that cheap, generic internet of things products can harbor vulnerabilities that potentially expose millions or even billions of devices. And yet it’s no less urgent each time. Now, new research from the IoT security firm Forescout highlights 33 flaws in an open source internet protocol bundles that potentially expose millions of embedded devices to attacks like information interception, denial of service, and total takeover. The affected devices run the gamut: smart home sensors and lights, barcode readers, enterprise network equipment, building automation systems, and even industrial control equipment. They’re difficult if not impossible to patch—and introduce real risk that attackers could exploit these flaws as a first step into a vast array of networks.
At the Black Hat Europe security conference on Wednesday, Forescout researchers will detail the vulnerabilities found in seven open source “TCP/IP stacks,” the collection of network communication protocols that broker connections between devices and networks like the internet. The group estimates that millions of devices from more than 150 vendors likely contain the vulnerabilities, which they collectively call Amnesia:33.
The seven stacks are all open source and have been modified and republished in many forms. Five of the seven have been around for nearly 20 years, and two have circulated since 2013. That longevity means that there are many versions and variations of each stack out there with no central authority to issue patches. And even if there were, manufacturers who have incorporated the code into their products would need to proactively adopt the correct patch for their version and implementation, then distribute it to users.
“What scares me the most is that it’s very difficult to understand how big the impact is and how many more vulnerable devices are out there,” says Elisa Costante, vice president of research at Forescout. “These vulnerable stacks are open source so everybody can take them and use them and you can document it or not. The 150 we have so far are the ones we could find that were documented. But I’m sure there are tons and tons of other vulnerable devices that we just don’t know about yet.”
Even worse, in many cases it wouldn’t actually be feasible for device makers themselves to push patches even if they wanted to or could. Many vendors get basic functionality like the TCP/IP stack from the “systems-on-a-chip” provided by third-party silicon makers, who would need to be involved in a fix as well. And it’s far from a given that many of these parties would even have a way to deliver a patch. In some instances, for example, Forescout researchers found that vulnerabilities in a diverse array of devices could all be traced to one SoC maker that went bankrupt and is no longer in business.
“These situations are just such a ridiculous mess, I don’t know what else to say about it,” says Ang Cui, a longtime IoT hacker and CEO of the embedded security firm Red Balloon Security. “You can say well IoT security is bad, it’s not a surprise. But there’s a real cumulative risk with each of these types of big, systemic revelations and it may feel like a big surprise to most people when attackers come along and start actually exploiting them. We need to do better on securing these products.”
Many of the vulnerabilities the Forescout researchers found are basic programming oversights, like a lack of so-called input validation checks that keep a system from accepting problematic values or operations. Think about a calculator that produces an error when you try to divide by zero instead of crashing from the strain of trying to figure out how to do it. Many of the bugs are “memory corruption” flaws—hence the name Amnesia:33—that allow an attacker to read data from a device’s memory or add data to it such that they can exfiltrate information, crash the device at will, or take control. Some of the vulnerabilities also relate to internet connectivity mechanisms like how the stack handles Domain Name System records and Internet Protocol addressing like IPv4 and the more recent IPv6.