IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Flaws in open source protocols expose millions of embedded devices

Amnesia:33 vulnerabilities could impact numerous industries, from health care to retail and beyond

Graphic representation of IoT devices in businesses

Security researchers have disclosed details of 33 new vulnerabilities present in millions of smart devices from over 150 vendors.

According to a Forescout Research report, these new Amnesia:33 vulnerabilities can cause widespread disruption to worldwide organizational operations, including health care services, retailers, and manufacturers. They could also endanger the physical safety of consumers who own these devices.

The report found that four of the Amnesia:33 vulnerabilities are critical, with potential for remote code execution on certain devices. If an attacker exploits these vulnerabilities, they could take control of a device and use it as a network entry point, a pivot point for lateral movement, a persistence point on the target network, or as the final target of an attack.

The Amnesia:33 flaws affect multiple open source TCP/IP stacks that aren’t owned by a single company, including uIP, FNET, picoTCP and Nut/Net. Researchers said this means a single vulnerability tends to spread easily and silently across multiple codebases, development teams, companies, and products, presenting significant challenges to patch management.

Over 150 vendors and millions of devices are vulnerable to the flaws. Researchers said it was challenging to assess Amnesia:33’s full impact because the vulnerable stacks are widely spread, highly modular, and incorporated in undocumented, deeply embedded subsystems.

Among the possible scenarios organizations could face, hackers could exploit these vulnerabilities to manipulate temperature monitors in storage spaces and spoil new COVID-19 vaccines or manipulate room temperature and ventilation units in coronavirus wards to initiate patient evacuations.

Hackers could also use the flaws to hijack or disable receipt printers or RFID tag readers in retail stores to disrupt sales or disable smart home alarms and smoke detectors.

“Due to the complexity of identifying and patching vulnerable devices, vulnerability management for TCP/IP stacks is becoming a challenge for the security community. We recommend adopting solutions that provide granular device visibility, allow the monitoring of network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities,” said the report’s authors.

Tod Beardsley, research director at Rapid7, told ITPro that cyber security researchers and defenders had pieced together the details of these findings, but the advice today is the same as it was yesterday: Don’t expose your IoT/OT/ICS devices directly to a hostile internet, especially when those devices are built with hard-to-determine versions of difficult-to-audit software.

“Traditional defense technologies like firewalls that drop all unexpected IPv6 and malformed IP traffic will go a long way toward mitigating most of these specific vulnerabilities. Network segmentation to keep fragile devices like these contained in their own trusted networks will cover the rest. More longer-term, initiatives that leverage a software bill of materials can also help IT and security teams keep tabs on the more exotic components of their infrastructure,” Beardsley said.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide
Whitepaper

CIAM buyer’s guide

6 Jun 2022

Most Popular

Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Universities are fighting a cyber security war on multiple fronts
cyber security

Universities are fighting a cyber security war on multiple fronts

4 Jul 2022
Hackers claim to steal personal data of over a billion people in China
data breaches

Hackers claim to steal personal data of over a billion people in China

4 Jul 2022