IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

New DNS vulnerabilities put millions of IoT devices at risk

The NAME:WRECK flaws affects four popular TCP/IP stacks

Graphic representation of IoT devices in businesses

Security researchers have warned of a slew of DNS flaws that could affect millions of internet of things (IoT) devices.

According to researchers at Forescout, the nine vulnerabilities have been dubbed “NAME:WRECK,” and they affect four popular TCP/IP stacks: FreeBSD, Nucleus NET, IPnet, and NetX. These vulnerabilities relate to Domain Name System (DNS) implementations, causing Denial of Service (DoS) or Remote Code Execution (RCE), allowing attackers to target devices offline or take control of them.

The researcher said the widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface. 

Forescout researchers teamed up with JSOF to find the flaws and added that these can impact over 100 million consumer, enterprise, and industrial IoT devices worldwide. Millions of IT networks use FreeBSD, including Netflix and Yahoo. Meanwhile, IoT/OT firmware, such as Siemens’ Nucleus NET has been used for decades in critical OT and IoT devices.

If exploited, among the plausible scenarios researchers laid out included exposing government or enterprise servers by accessing sensitive data, such as financial records, intellectual property, or employee/customer information. They could also compromise hospitals by connecting to medical devices to obtain health care data, taking them offline and preventing health care delivery.

Related Resource

IT Pro 20/20: Meet the companies leaving the office for good

The 15th issue of IT Pro 20/20 looks at the nature of operating a business in 2021

IT Pro 20/20: Leaving the office for goodDOWNLOAD NOW

Hackers could also use the flaws to access critical residential and commercial building functions, including major hotels, to endanger residents’ safety. This could include tampering with heating, ventilation and air conditioning systems, disabling critical security systems, or shutting down automated lighting systems.

Researchers said that unless urgent action is taken to adequately protect networks and the devices connected to them, “it could be just a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security.”

"NAME:WRECK is a significant and widespread set of vulnerabilities with the potential for large-scale disruption," said Daniel dos Santos, Research Manager, Forescout Research Labs.

“Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks  and so we  encourage all organizations to make sure they have the most up-to-date patches for any devices running across these affected IP Stacks.”

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022