About the latter For several years, researchers have found a shocking number of vulnerabilities in apparently basic code that underlies the way devices communicate with the Internet. Now, a new set of nine such vulnerabilities exposes an estimated 100 million devices worldwide, including a range of Internet of Things products and IT management servers. The bigger question researchers are trying to answer is how to drive substantive change – and implement effective defenses – as more and more of these vulnerabilities build up.
Dubbed Name: Wreck, the newly revealed flaws reside in four ubiquitous TCP / IP stacks, code that integrates network communication protocols to establish connections between devices and the Internet. The vulnerabilities present in operating systems such as the open source project FreeBSD, as well as Nucleus NET from industrial control company Siemens, all relate to how these stacks implement the Domain Name System’s Internet directory. They would all allow an attacker to crash a device and take it offline or take control of the device remotely. Both attacks can potentially wreak havoc on a network, especially in critical infrastructure, healthcare, or manufacturing settings where the infiltration of a connected device or IT server can disrupt an entire system or serve as a valuable jumping-off point to dig deeper into a network dig. the victim’s network.
All vulnerabilities discovered by researchers at security firms Forescout and JSOF now have patches available, but that doesn’t necessarily translate to fixes in actual devices, often running older software versions. Sometimes manufacturers have not created mechanisms to update this code, but in other situations, they do not create the part it runs on and simply have no control over the mechanism.
“With all of these findings, I know that it may seem like we are just bringing issues up on the table, but we are really trying to raise awareness, engage with the community and figure out ways to address it,” said Elisa Costante, vice president of research at Forescout, which has done other, similar research through an effort it calls Project Memoria. “We have analyzed over 15 TCP / IP stacks, both proprietary and open source, and found that there is no real difference in quality. But these similarities are also helpful, because we’ve found they have similar vulnerabilities. When we analyze a new stack, we can start looking at the same places and sharing those common problems with other researchers and developers. “
The researchers have not yet seen any evidence that attackers are actively exploiting these types of vulnerabilities in the wild. But with hundreds of millions – maybe billions – of devices potentially affected by numerous different findings, the exposure is significant.
Kurt John, chief cybersecurity officer at Siemens, told WIRED in a statement that the company is “working closely with governments and industry partners to mitigate vulnerabilities … In this case, we are pleased to have worked with one of those partners, Forescout,” to quickly identify and mitigate the vulnerability. . “
The researchers coordinated disclosure of the flaws with developers releasing patches, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and other vulnerability tracking groups. Similar flaws that Forescout and JSOF have found in other proprietary and open source TCP / IP stacks have already been found to expose hundreds of millions or even billions of devices worldwide.
Problems are so common in these ubiquitous network protocols, as they have been passed largely untouched for decades as the technology around them evolves. Essentially, because it isn’t broken, no one is repairing it.
“For better or worse, these devices contain code that people wrote 20 years ago – with the security mindset of 20 years ago,” said Ang Cui, CEO of IoT security company Red Balloon Security. “And it works; it never failed. But once you connect that to the internet, it’s unsafe. And that’s not surprising, given that over the past 20 years we’ve really had to think about how to approach the security of general-purpose computers. “