Enroll Course

The nine vulnerabilities discovered by Forescout Research Labs and JSOF Research significantly expand the attack surface of at least 100 million Internet of Things devices, putting them at risk of being taken offline or hijacked by threat actors.

"As demonstrated by history, controlling IoT devices can be an effective method of launching DDoS attacks," said Rohit Dhamankar, vice president for threat intelligence products at Alert Logic, a Houston-based application and infrastructure security company.

"As IoT devices become more capable, they can be controlled by an attacker in the same way that servers or desktops can, and they can be further exploited as beachheads in enterprise breaches," he said.

The vulnerability set, dubbed Name: Wreck, affects four popular TCP/IP stacks: FreeBSD, Nucleus NET, IPnet, and NetX.

According to the researchers, Nucleus NET is a component of Nucleus RTOS. This real-time operating system is used by over three billion devices, including ultrasound machines, storage systems, and critical systems for avionics.

The researchers noted that FreeBSD is widely used by high-performance servers in millions of IT networks and serves as the foundation for several other well-known open-source projects, including firewalls and several commercial network appliances.

They added that NetX is typically powered by the ThreadX real-time operating system, which was deployed in 6.2 billion devices in 2017 and is used in medical devices, systems-on-a-chip, and several printer models.

"Healthcare and government organizations are among the top three most impacted across all three stacks," the researchers wrote. "Assuming that 1% of the more than 10 billion deployments discussed above are vulnerable, at least 100 million devices are impacted by Name:Wreck."

Powerful Attack Vector

According to security experts, TCP/IP attacks are particularly potent.

"TCP/IP is the software that handles all communication between the device and other systems," explained Gary Kinghorn, marketing director at Tempered Networks, a Seattle-based microsegmentation company.

"If it is a network-based attack – as opposed to inserting a thumb drive into a USB port," he explained, "you must use TCP/IP." "Most attacks begin with corrupting the TCP/IP software to introduce vulnerabilities or exploit design flaws."

Additionally, attacks on the TCP/IP stack can bypass some fundamental security safeguards.

"Anytime you have an attack on TCP/IP that does not require a username or password, it makes the attack easier to execute," Dhamankar observed.

"TCP/IP vulnerabilities are particularly dangerous because they can be exploited remotely over the Internet or an intranet without compromising other security mechanisms such as authentication," added Bob Baxley, CTO of San Francisco-based Bastille Networks, a provider of threat detection and security for the Internet of Things.

Additionally, once a device is compromised, a TCP/IP attacker may benefit from the compromise. "Because TCP/IP stacks are typically run with elevated privileges, any code execution vulnerability would allow an attacker to obtain significant privileges on the device," explained Asaf Karas, cofounder and CTO of Vdoo, a Tel Aviv-based provider of security automation for embedded devices.

Patching Problems

While some of the researchers' disclosed vulnerabilities are repairable, the process can be challenging.

Baxley noted that patches for FreeBSD, Nucleus NET, and NetX had been released.

"Patching is theoretically possible for end devices that use those stacks," he said. "However, many of the vulnerable systems are Internet of Things devices running real-time operating systems that are not patched on a regular basis and are therefore unlikely to receive a patch."

"Typically, IoT devices are deployed and forgotten about, and are frequently replaced only when they fail or reach the end of their useful life," added Jean-Philippe Taggart, a senior security researcher at Malwarebytes.

"That is not an efficient strategy," he said.

Another potential issue with IoT devices is their age. "While these systems can be patched, they are frequently very old implementations that may be used in ways not intended," Kinghorn observed.

"They are vulnerable due to their inherent complexity and inability to detect risks easily," he continued. "More frequently than not, hackers are able to exploit them before they are patched."

"Patching IoT vulnerabilities has always been extremely difficult," Dhamankar added. "It's difficult enough to patch server and desktop vulnerabilities."

Defence Tactics

Even without patches, there are ways to protect a network from exploiters of the Forescout and JSOF researchers' vulnerabilities.

Baxley explained that an attacker must respond to a DNS request from the target device with a spoofed packet containing the malicious payload to exploit the Name: Wreck vulnerabilities. An attacker will need network access to the target device to accomplish this.

"Segmenting devices, particularly IoT devices, from the Internet and core internal networks is one mechanism for mitigating exposure risk," he explained.

Likewise, monitoring DNS traffic can assist in defending against Name: Wreck. "Monitoring DNS activity in the environment and notifying administrators of any external DNS server activity is a good first step," Dhamankar observed.

"In general," he continued, "DNS is an excellent source for security analytics to monitor for compromises."

In addition, strengthened access management can thwart attackers. "If the system cannot be patched, which may be the case with older industrial control systems, OT network devices, and IoT endpoints, it is critical to ensure that the network only allows secure, trusted traffic to these devices," Kinghorn explained.

"This is where Zero Trust designs come in handy, as they ensure that only authorized devices are able to access these vulnerable systems," he continued. "It can also be beneficial to monitor and analyze traffic to and from those devices continuously to ensure that no potentially malicious or suspicious traffic reaches them."

"The Internet of Things as a whole is a security hotspot," added Chris Morales, CISO of Netenrich, a San Jose, Calif.-based provider of security operations centre services.

"Weak passwords and hardcoded user accounts, a lack of patching and obsolete components — these latest vulnerabilities add to the stack of insecurity that is the Internet of Things," he said.