Flaws in open source protocols expose millions of embedded devices

Amnesia:33 vulnerabilities could impact numerous industries, from health care to retail and beyond

Graphic representation of IoT devices in businesses

Security researchers have disclosed details of 33 new vulnerabilities present in millions of smart devices from over 150 vendors.

According to a Forescout Research report, these new Amnesia:33 vulnerabilities can cause widespread disruption to worldwide organizational operations, including health care services, retailers, and manufacturers. They could also endanger the physical safety of consumers who own these devices.

The report found that four of the Amnesia:33 vulnerabilities are critical, with potential for remote code execution on certain devices. If an attacker exploits these vulnerabilities, they could take control of a device and use it as a network entry point, a pivot point for lateral movement, a persistence point on the target network, or as the final target of an attack.

The Amnesia:33 flaws affect multiple open source TCP/IP stacks that aren’t owned by a single company, including uIP, FNET, picoTCP and Nut/Net. Researchers said this means a single vulnerability tends to spread easily and silently across multiple codebases, development teams, companies, and products, presenting significant challenges to patch management.

Over 150 vendors and millions of devices are vulnerable to the flaws. Researchers said it was challenging to assess Amnesia:33’s full impact because the vulnerable stacks are widely spread, highly modular, and incorporated in undocumented, deeply embedded subsystems.

Among the possible scenarios organizations could face, hackers could exploit these vulnerabilities to manipulate temperature monitors in storage spaces and spoil new COVID-19 vaccines or manipulate room temperature and ventilation units in coronavirus wards to initiate patient evacuations.

Hackers could also use the flaws to hijack or disable receipt printers or RFID tag readers in retail stores to disrupt sales or disable smart home alarms and smoke detectors.

“Due to the complexity of identifying and patching vulnerable devices, vulnerability management for TCP/IP stacks is becoming a challenge for the security community. We recommend adopting solutions that provide granular device visibility, allow the monitoring of network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities,” said the report’s authors.

Tod Beardsley, research director at Rapid7, told ITPro that cyber security researchers and defenders had pieced together the details of these findings, but the advice today is the same as it was yesterday: Don’t expose your IoT/OT/ICS devices directly to a hostile internet, especially when those devices are built with hard-to-determine versions of difficult-to-audit software.

“Traditional defense technologies like firewalls that drop all unexpected IPv6 and malformed IP traffic will go a long way toward mitigating most of these specific vulnerabilities. Network segmentation to keep fragile devices like these contained in their own trusted networks will cover the rest. More longer-term, initiatives that leverage a software bill of materials can also help IT and security teams keep tabs on the more exotic components of their infrastructure,” Beardsley said.

Featured Resources

Virtual desktops and apps for dummies

An easy guide to virtual desktop infrastructure, end-user computing, and more

Download now

The total economic impact of optimising and managing your hybrid multi-cloud

Cost savings and business benefits of accelerating the cloud journey

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

What’s next for the education sector?

A new learning experience

Download now

Recommended

New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021
Biden calls for $22 billion in cyber security funding
Security

Biden calls for $22 billion in cyber security funding

18 May 2021
Avast’s Business Hub helps eliminate gaps in cyber defense
Security

Avast’s Business Hub helps eliminate gaps in cyber defense

18 May 2021
NETSCOUT threat intelligence report
Whitepaper

NETSCOUT threat intelligence report

18 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021