Millions of IoT Devices at Risk Due to TCP/IP Flaws
Table of Contents
- By Dawna M. Roberts
- Published: Dec 09, 2020
- Last Updated: Mar 18, 2022
Forescout Technologies discovers millions of IoT devices are at risk due to a batch of serious TCP/IP flaws that could result in device takeover, denial of service attacks, or remote execution of malicious code. They nicknamed the flaw Amnesia:33 and stated that more than 150 hardware and software vendors are culpable.
The Technical Details
These flaws affect both enterprise and personal IoT devices such as routers, industrial systems, medical equipment, and anything with a TCP/IP stack. The research is a result of a study called Project Memoria. Elisa Constante, VP of Research at Forescout, said, “In some cases, “you can crash devices with a single [data] packet.” DataBreach Today elaborated with “Many of the problems stem from poor software development practices, particularly an absence of basic input validation.”
During the summer, Forescout worked on another project labeled Ripple20 examining other TCP/IP flaws used by a TCP/IP manufacturer in Ohio called Track. This new research is a continuation of this same theme. Costante said, “We discovered…33 vulnerabilities in four of seven [TCP/IP] stacks that we analyzed.”
She went on to explain that most of the issues center on Domain Name System functionality. She said, “We find that the DNS, TCP, and IP sub-stacks are the most often vulnerable. DNS, in particular, seems to be vulnerable because of its complexity.”
Another alarming quote from the report states that “Exploiting these vulnerabilities could allow an attacker to take control of a device, thus using it as an entry point on a network (for internet-connected devices), as a pivot point for lateral movement, as a persistence point on the target network or as the final target of cyber attack.”
The reason they named the project Amnesia:33 is due to the fact that many of the 33 found flaws are related to memory corruption. Unfortunately, they did not call out specific vendors or IoT devices at risk, but with more than 150 vendors affected, you probably have one in your home or office.
The Dangers
The dangers of hacked IoT devices is enormous. There have been reports of smart cars remotely controlled by hackers causing accidents, radios uncontrollably start playing, and the heat and other controls becoming unresponsive.
Some consumers rely on IoT devices for medical care and monitoring. If a device connected to the internet automatically dispenses medication or monitors specific health conditions, and those devices were hacked and remotely controlled, it could risk lives. A self-driving car or medical device takeover is hazardous, but there are other less “physical” dangers as well.
If someone gains control of your network through an unsecured router or switch, they could access private and sensitive data for you or your employees and demand a ransom or use that information for identity theft. The possibilities are endless. Information is like gold on the dark web, and thieves make a profit selling personal details there.
The Solution
Forescout said in their report that “The flaws are found in four (out of seven analyzed) TCP/IP stacks (including uIP, picoTCP, FNET, and Nut/Net), which are a set of communication protocols used by internet-connected devices. Because multiple open-source TCP/IP stacks are affected, which are not owned by a single company, it presents tough patch management challenges for Amnesia:33.” This does not bode well for consumers who want to know that the products they have running in their homes and offices are safe and not vulnerable to hacking and takeover.
If even one vulnerable IoT device is present, it could put the entire network at risk. More dismal news from the researchers stated that “Despite much effort from all the parties, official patches were only issued by the Contiki-NG, PicoTCP-NG, FNET, and Nut/Net projects.” They went on to say, “At the time of writing, no official patches have been issued for the original uIP, Contiki, and PicoTCP projects, which we believe have reached end-of-life status but are still available for download. Some of the vendors and projects using these original stacks, such as open-iscsi, issued their own patches.”
How to Stay Safe
Just about every American has at least one IoT device in their home, office, or car. These include things like automatic coffee makers, medical wearables, Alexa devices, and more. Experts recommend that when you are not using the device, disable IPv6 traffic, and configure the device to use local DNS servers. They also highly recommend that you set up some software to monitor your entire home or office network, scanning for any intrusions, device usage that is not authorized, and malformed packets trying to exploit devices.
Until these flaws are patched, consumers should be aware of the dangers and keep a close eye on their entire network, including all internet-connected devices and traffic in and out.