Flaws in open source protocols expose millions of embedded devices

Amnesia:33 vulnerabilities could impact numerous industries, from health care to retail and beyond

Graphic representation of IoT devices in businesses

Security researchers have disclosed details of 33 new vulnerabilities present in millions of smart devices from over 150 vendors.

According to a Forescout Research report, these new Amnesia:33 vulnerabilities can cause widespread disruption to worldwide organizational operations, including health care services, retailers, and manufacturers. They could also endanger the physical safety of consumers who own these devices.

The report found that four of the Amnesia:33 vulnerabilities are critical, with potential for remote code execution on certain devices. If an attacker exploits these vulnerabilities, they could take control of a device and use it as a network entry point, a pivot point for lateral movement, a persistence point on the target network, or as the final target of an attack.

The Amnesia:33 flaws affect multiple open source TCP/IP stacks that aren’t owned by a single company, including uIP, FNET, picoTCP and Nut/Net. Researchers said this means a single vulnerability tends to spread easily and silently across multiple codebases, development teams, companies, and products, presenting significant challenges to patch management.

Over 150 vendors and millions of devices are vulnerable to the flaws. Researchers said it was challenging to assess Amnesia:33’s full impact because the vulnerable stacks are widely spread, highly modular, and incorporated in undocumented, deeply embedded subsystems.

Among the possible scenarios organizations could face, hackers could exploit these vulnerabilities to manipulate temperature monitors in storage spaces and spoil new COVID-19 vaccines or manipulate room temperature and ventilation units in coronavirus wards to initiate patient evacuations.

Hackers could also use the flaws to hijack or disable receipt printers or RFID tag readers in retail stores to disrupt sales or disable smart home alarms and smoke detectors.

“Due to the complexity of identifying and patching vulnerable devices, vulnerability management for TCP/IP stacks is becoming a challenge for the security community. We recommend adopting solutions that provide granular device visibility, allow the monitoring of network communications and isolate vulnerable devices or network segments to manage the risk posed by these vulnerabilities,” said the report’s authors.

Tod Beardsley, research director at Rapid7, told ITPro that cyber security researchers and defenders had pieced together the details of these findings, but the advice today is the same as it was yesterday: Don’t expose your IoT/OT/ICS devices directly to a hostile internet, especially when those devices are built with hard-to-determine versions of difficult-to-audit software.

“Traditional defense technologies like firewalls that drop all unexpected IPv6 and malformed IP traffic will go a long way toward mitigating most of these specific vulnerabilities. Network segmentation to keep fragile devices like these contained in their own trusted networks will cover the rest. More longer-term, initiatives that leverage a software bill of materials can also help IT and security teams keep tabs on the more exotic components of their infrastructure,” Beardsley said.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021
Fujitsu taps Trend Micro to secure private 5G networks in smart factories
5G

Fujitsu taps Trend Micro to secure private 5G networks in smart factories

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
Alienware’s new gaming laptop is a kick in the teeth for Intel’s new CEO
Hardware

Alienware’s new gaming laptop is a kick in the teeth for Intel’s new CEO

8 Apr 2021