The disclosure of 33 TCP/IP stack flaws affecting smart devices manufactured by over 150 different tech companies has once again thrown the spotlight on lax attitudes to IoT security at the development level, and the likelihood of being able to patch them across every device is low, meaning users must either live with the risk of compromise, or splash out on heightened precautions that can never guarantee protection.
Dubbed Amnesia:33 by the Forescout research team that uncovered them, the vulnerabilities have already been the subject of a fresh alert from the US’ CISA cyber security centre. They were uncovered as part of Forescout’s Project Memoria, an initiative purposely set up to study the security of TCP/IP stacks, and their publication is the first disclosure made under the initiative.
Forescout revealed that four of the vulnerabilities were critical, enabling remote code execution (RCE) on targeted devices and giving attackers an easy entry point onto a network, whether consumer or enterprise, to establish persistence, move laterally, and conduct further attacks, or put devices into large IoT botnets. Others arise from bad software development practice and relate to memory corruption, which can cause denial of service, information leaks or allow for code execution.
Multiple open source TCP/IP stacks used in the operating systems of embedded devices, systems-on-a-chip, network hardware, OT devices, and thousands of enterprise and consumer IoT devices, are affected, which Forescout said meant a single vulnerability could spread easily and silently across multiple codebases, development teams, companies and products, and hence millions of devices.
Jonathan Knudsen, senior security strategist at Synopsys, said the disclosures highlighted huge problems at the development level: “Security must be part of every phase of software development. During the design of an application, threat modelling and architectural risk analysis are critical. During development, static analysis helps minimise weaknesses, and software composition analysis (SCA) help minimise risks of third-party components.
“Fuzz testing minimises risk by helping developers harden the application to unexpected or malicious protocol inputs. Security even plays a key role in software maintenance, when new vulnerabilities in software components might be discovered and software updates might be necessary,” he said.
The Amnesia:33 disclosure is of particular concern because of its sheer scale and complexity, making patching very difficult and in some cases even impossible, as Chris Grove, technology evangelist at Nozomi Networks, pointed out.
There is no sign of any let up in the volume or variety of embedded devices, many of them developed quickly and cheaply, released and forgotten about, explained Grove, while attackers can often take advantage of for a significant length of time prior to disclosure.
“Knowing that the root-cause of the problem (deploying vulnerable embedded and IoT systems) is growing at an exponential and alarming rate, it’s clear that the risks need to be accounted for and properly mitigated. In many cases, embedded and un-managed technology is difficult to identify, much less considering it part of a managed asset inventory,” he said.
“After the embedded systems are identified, the expected behaviours of those devices can be difficult to ascertain and manage. Furthermore, understanding how to mitigate the vulnerabilities after they’ve been identified is another matter. In fact, sometimes it’s impossible to patch, leaving operators with the realisation that they have no choice but to assume the risks.”
Knudsen at Synopsys agreed: “For many IoT devices, getting a functioning product to market quickly takes precedence, which means manufacturers might not have an automatic mechanism for updates, or indeed, might not even be devoting resources to maintaining released products.”
Forescout’s team said that due to the complexity of identifying and patching vulnerable devices, managing responses at the organisational level would indeed be a challenge.
“We recommend adopting solutions that provide granular device visibility, allow the monitoring to network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities,” they said.
Synopsys senior security engineer Boris Cipot agreed that given the manufacturers of the affected devices had not got it right, users would have to proactively take action themselves.
“Deploying mitigation techniques, such as treating devices as untrustworthy, monitoring their behaviour, creating subnets in which they work and abiding by the principle of least privilege are just a few steps one can take to protect their assets,” said Cipot.
However, Tod Beardsley, Rapid7 research director, said that the Amnesia:33 disclosures were not necessarily going to result in mass compromise of smart devices and networks.
“I doubt we’ll see active attacks any time soon leveraging these vulnerabilities, mainly because there just isn’t enough information provided in the paper for attackers or defenders to really act when it comes to determining likely targets and configurations,” he said.
“That may change when proof-of-concept exploits are published, but even then, the attacks described in the paper seem to require attackers to be in privileged insider positions or trick end-users into soliciting responses from an attacker-controlled endpoint.”