Flaws in open source protocols expose millions of embedded devices

Amnesia:33 vulnerabilities could impact numerous industries, from health care to retail and beyond

Graphic representation of IoT devices in businesses

Security researchers have disclosed details of 33 new vulnerabilities present in millions of smart devices from over 150 vendors.

According to a Forescout Research report, these new Amnesia:33 vulnerabilities can cause widespread disruption to worldwide organizational operations, including health care services, retailers, and manufacturers. They could also endanger the physical safety of consumers who own these devices.

The report found that four of the Amnesia:33 vulnerabilities are critical, with potential for remote code execution on certain devices. If an attacker exploits these vulnerabilities, they could take control of a device and use it as a network entry point, a pivot point for lateral movement, a persistence point on the target network, or as the final target of an attack.

The Amnesia:33 flaws affect multiple open source TCP/IP stacks that aren’t owned by a single company, including uIP, FNET, picoTCP and Nut/Net. Researchers said this means a single vulnerability tends to spread easily and silently across multiple codebases, development teams, companies, and products, presenting significant challenges to patch management.

Over 150 vendors and millions of devices are vulnerable to the flaws. Researchers said it was challenging to assess Amnesia:33’s full impact because the vulnerable stacks are widely spread, highly modular, and incorporated in undocumented, deeply embedded subsystems.

Among the possible scenarios organizations could face, hackers could exploit these vulnerabilities to manipulate temperature monitors in storage spaces and spoil new COVID-19 vaccines or manipulate room temperature and ventilation units in coronavirus wards to initiate patient evacuations.

Hackers could also use the flaws to hijack or disable receipt printers or RFID tag readers in retail stores to disrupt sales or disable smart home alarms and smoke detectors.

“Due to the complexity of identifying and patching vulnerable devices, vulnerability management for TCP/IP stacks is becoming a challenge for the security community. We recommend adopting solutions that provide granular device visibility, allow the monitoring of network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities,” said the report’s authors.

Tod Beardsley, research director at Rapid7, told ITPro that cyber security researchers and defenders had pieced together the details of these findings, but the advice today is the same as it was yesterday: Don’t expose your IoT/OT/ICS devices directly to a hostile internet, especially when those devices are built with hard-to-determine versions of difficult-to-audit software.

“Traditional defense technologies like firewalls that drop all unexpected IPv6 and malformed IP traffic will go a long way toward mitigating most of these specific vulnerabilities. Network segmentation to keep fragile devices like these contained in their own trusted networks will cover the rest. More longer-term, initiatives that leverage a software bill of materials can also help IT and security teams keep tabs on the more exotic components of their infrastructure,” Beardsley said.

Featured Resources

The ultimate guide to business connectivity in field services

A roadmap to increased workplace efficiency

Free download

The definitive guide to migrating to the cloud

Migrate apps to the public cloud with multi-cloud infrastructure solutions

Free download

Transform your network with advanced load balancing from VMware

How to modernise load balancing to enable digital transformation

Free download

How to secure workloads in hybrid clouds

Cloud workload protection

Free download

Recommended

Large companies fall short on domain security
cyber security

Large companies fall short on domain security

28 Sep 2021
HPE GreenLake takes aim at data protection and analytics
data protection

HPE GreenLake takes aim at data protection and analytics

28 Sep 2021
Hackers spoof Zix in credential phishing attack
phishing

Hackers spoof Zix in credential phishing attack

28 Sep 2021
Women and BAME individuals are hardest hit by cyber crime
cyber crime

Women and BAME individuals are hardest hit by cyber crime

28 Sep 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021