macrovector – Fotolia
The disclosure of 33 TCP/IP stack flaws affecting smart devices manufactured by over 150 different tech companies has once again thrown the spotlight on lax attitudes to IoT security at the development level, and the likelihood of being able to patch them across every device is low, meaning users must either live with the risk of compromise, or splash out on heightened precautions that can never guarantee protection.
Dubbed Amnesia:33 by the Forescout research team that uncovered them, the vulnerabilities have already been the subject of a fresh alert from the US’ CISA cyber security centre. They were uncovered as part of Forescout’s Project Memoria, an initiative purposely set up to study the security of TCP/IP stacks, and their publication is the first disclosure made under the initiative.
Forescout revealed that four of the vulnerabilities were critical, enabling remote code execution (RCE) on targeted devices and giving attackers an easy entry point onto a network, whether consumer or enterprise, to establish persistence, move laterally, and conduct further attacks, or put devices into large IoT botnets. Others arise from bad software development practice and relate to memory corruption, which can cause denial of service, information leaks or allow for code execution.
Multiple open source TCP/IP stacks used in the operating systems of embedded devices, systems-on-a-chip, network hardware, OT devices, and thousands of enterprise and consumer IoT devices, are affected, which Forescout said meant a single vulnerability could spread easily and silently across multiple codebases, development teams, companies and products, and hence millions of devices.
Jonathan Knudsen, senior security strategist at Synopsys, said the disclosures highlighted huge problems at the development level: “Security must be part of every phase of software development. During the design of an application, threat modelling and architectural risk analysis are critical. During development, static analysis helps minimise weaknesses, and software composition analysis (SCA) help minimise risks of third-party components.
“Fuzz testing minimises risk by helping developers harden the application to unexpected or malicious protocol inputs. Security even plays a key role in software maintenance, when new vulnerabilities in software components might be discovered and software updates might be necessary,” he said.
The Amnesia:33 disclosure is of particular concern because of its sheer scale and complexity, making patching very difficult and in some cases even impossible, as Chris Grove, technology evangelist at Nozomi Networks, pointed out.
There is no sign of any let up in the volume or variety of embedded devices, many of them developed quickly and cheaply, released and forgotten about, explained Grove, while attackers can often take advantage of for a significant length of time prior to disclosure.
“Knowing that the root-cause of the problem (deploying vulnerable embedded and IoT systems) is growing at an exponential and alarming rate, it’s clear that the risks need to be accounted for and properly mitigated. In many cases, embedded and un-managed technology is difficult to identify, much less considering it part of a managed asset inventory,” he said.
“After the embedded systems are identified, the expected behaviours of those devices can be difficult to ascertain and manage. Furthermore, understanding how to mitigate the vulnerabilities after they’ve been identified is another matter. In fact, sometimes it’s impossible to patch, leaving operators with the realisation that they have no choice but to assume the risks.”
Knudsen at Synopsys agreed: “For many IoT devices, getting a functioning product to market quickly takes precedence, which means manufacturers might not have an automatic mechanism for updates, or indeed, might not even be devoting resources to maintaining released products.”
Forescout’s team said that due to the complexity of identifying and patching vulnerable devices, managing responses at the organisational level would indeed be a challenge.
“We recommend adopting solutions that provide granular device visibility, allow the monitoring to network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities,” they said.
Synopsys senior security engineer Boris Cipot agreed that given the manufacturers of the affected devices had not got it right, users would have to proactively take action themselves.
“Deploying mitigation techniques, such as treating devices as untrustworthy, monitoring their behaviour, creating subnets in which they work and abiding by the principle of least privilege are just a few steps one can take to protect their assets,” said Cipot.
However, Tod Beardsley, Rapid7 research director, said that the Amnesia:33 disclosures were not necessarily going to result in mass compromise of smart devices and networks.
“I doubt we’ll see active attacks any time soon leveraging these vulnerabilities, mainly because there just isn’t enough information provided in the paper for attackers or defenders to really act when it comes to determining likely targets and configurations,” he said.
“That may change when proof-of-concept exploits are published, but even then, the attacks described in the paper seem to require attackers to be in privileged insider positions or trick end-users into soliciting responses from an attacker-controlled endpoint.”
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
The antitrust lawsuits allege Facebook impeded competition by buying up rivals to control the market.
Although 5G is still years away from mainstream adoption, some enterprises have started rolling out use cases that can deliver …
CIO dashboards can be a vital tool for assessing metrics in real time to gain insight on IT performance and support better …
While no zero-day exploits were included in the red team tools, FireEye released detection rules and known vulnerabilities to …
Enterprises struggle to get the most out of their security operation centers. Using the proper SOC metrics and KPIs can help. …
Companies looking to introduce security testing earlier into software development must look past myths and understand what to …
The Aruba Fabric Composer is best suited for a CX switching fabric within a small and midsize data center. The company also …
Network performance is a top issue among IT teams and remote workers amid the pandemic and can correlate with other technical …
The Apstra acquisition could help Juniper sell networking hardware and software to heterogeneous data centers and large-scale …
Colocation facility costs can include anything from power fees and bandwidth service charges to connectivity expenses, change …
In any multi-tenant IT environment, noisy neighbors can be an issue. Here’s a closer look at how the challenges differ in the …
Use this data center selection checklist to make fair and comprehensive comparisons between colocation data center providers …
Raj Verma, CEO of SingleStore, explains why the vendor rebranded from MemSQL and how its platform is more than just an in-memory …
Collibra CEO discusses the importance of data governance for enterprises and how to tie data governance to business terminology …
The enterprise edition of the MySQL database is being enhanced on Oracle Cloud Infrastructure to enable users to run analytics …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
