Flaws in open source protocols expose millions of embedded devices

Amnesia:33 vulnerabilities could impact numerous industries, from health care to retail and beyond

Graphic representation of IoT devices in businesses

Security researchers have disclosed details of 33 new vulnerabilities present in millions of smart devices from over 150 vendors.

According to a Forescout Research report, these new Amnesia:33 vulnerabilities can cause widespread disruption to worldwide organizational operations, including health care services, retailers, and manufacturers. They could also endanger the physical safety of consumers who own these devices.

The report found that four of the Amnesia:33 vulnerabilities are critical, with potential for remote code execution on certain devices. If an attacker exploits these vulnerabilities, they could take control of a device and use it as a network entry point, a pivot point for lateral movement, a persistence point on the target network, or as the final target of an attack.

The Amnesia:33 flaws affect multiple open source TCP/IP stacks that aren’t owned by a single company, including uIP, FNET, picoTCP and Nut/Net. Researchers said this means a single vulnerability tends to spread easily and silently across multiple codebases, development teams, companies, and products, presenting significant challenges to patch management.

Over 150 vendors and millions of devices are vulnerable to the flaws. Researchers said it was challenging to assess Amnesia:33’s full impact because the vulnerable stacks are widely spread, highly modular, and incorporated in undocumented, deeply embedded subsystems.

Among the possible scenarios organizations could face, hackers could exploit these vulnerabilities to manipulate temperature monitors in storage spaces and spoil new COVID-19 vaccines or manipulate room temperature and ventilation units in coronavirus wards to initiate patient evacuations.

Hackers could also use the flaws to hijack or disable receipt printers or RFID tag readers in retail stores to disrupt sales or disable smart home alarms and smoke detectors.

“Due to the complexity of identifying and patching vulnerable devices, vulnerability management for TCP/IP stacks is becoming a challenge for the security community. We recommend adopting solutions that provide granular device visibility, allow the monitoring of network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities,” said the report’s authors.

Tod Beardsley, research director at Rapid7, told ITPro that cyber security researchers and defenders had pieced together the details of these findings, but the advice today is the same as it was yesterday: Don’t expose your IoT/OT/ICS devices directly to a hostile internet, especially when those devices are built with hard-to-determine versions of difficult-to-audit software.

“Traditional defense technologies like firewalls that drop all unexpected IPv6 and malformed IP traffic will go a long way toward mitigating most of these specific vulnerabilities. Network segmentation to keep fragile devices like these contained in their own trusted networks will cover the rest. More longer-term, initiatives that leverage a software bill of materials can also help IT and security teams keep tabs on the more exotic components of their infrastructure,” Beardsley said.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

How to use machine learning and AI in cyber security
Security

How to use machine learning and AI in cyber security

30 Jul 2021
Chipotle’s marketing email hacked to send phishing emails
phishing

Chipotle’s marketing email hacked to send phishing emails

29 Jul 2021
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

29 Jul 2021
Colonial Pipeline hack spurred copycat attacks on other oil and gas companies
hacking

Colonial Pipeline hack spurred copycat attacks on other oil and gas companies

29 Jul 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021