Millions of Smart Devices Are Vulnerable to Hackers
New research shows that security flaws affecting upwards of 100 million smart devices and industrial machines could allow a hacker to hijack the products or knock them offline.
Nine different vulnerabilities were recently discovered by
researchers with security firm Forescout, who have dubbed them “NAME:WRECK,”
for the way in which they affect the Domain Name System (DNS) protocol. The
vulns are in four different TCP/IP stacks, including Nucleus NET, FreeBSD,
NetX, and IPnet, all of which are used widely by IoT and industrial devices.
(For reference, TCP/IP stacks—which stands for “Transmission
Control Protocol/ Internet Protocol”—are systems of rules implemented in
software and hardware that ensure consistent and standardized data transmission
over networks. So exploiting such stacks could lead to some pretty tricky
business, indeed.)
In this case, the vulnerabilities are tied up with the way
in which DNS protocols are executed. Hypothetically, attacks could exploit the
DNS bugs and lead to remote code execution on vulnerable devices, or
denial-of-service attacks, the report claims.
Although not all devices running these protocols are
necessarily vulnerable to abuse, the security flaws could still affect an
astronomical amount of devices, according to researchers: “If we conservatively
assume that 1% of the more than 10 billion deployments discussed above are
vulnerable, we can estimate that at least 100 million devices are impacted by
NAME:WRECK,” the report claims.
The stacks are used so widely across such a variety of
sectors and industries that it would be somewhat difficult to pin down a
“master list” of all of the products that might be affected. Healthcare,
defense and aerospace, retail, communications and networking, and pretty much
every other industry you can think of may be affected. In the case of NetX, for
instance, the vulnerabilities, if left unpatched, could potentially affect
everything from HTC wearable fitness products to a variety of healthcare
patient monitors to, apparently, “the NASA Mars Reconnaissance Orbiter,” the
report claims.
So, what to do? In a case like this, patching works in a
sort of trickle-down fashion: after a stack developer issues a patch, it then
falls to all of the device vendors who use that stack to issue their own.
Customers must then integrate the new protections into their individual devices
themselves. So while the affected stack developers have by now all issued
patches, a subsequent process of adding protections exists both for vendors and
consumers.
For industrial sectors, the report suggests that the
patching process may be a particularly arduous, time-consuming one—as sorting
through the milieu of affected devices and device components, then properly
compelling organizations that rely on those machines to issue patches, is not
always the easiest of tasks.
“For the typical consumer, it’s really a matter of waiting
for the patches and keeping an eye out for what the vendors will say and for
the vulnerabilities that exist,” said Daniel dos Santos, head of research with
Forescout, in a phone call. “One of the challenges we have is awareness of
these issues,” he said. “That is one of the big parts of our mission—to let
people know what’s going on.”
Comments
Post a Comment