62 with 48 posters participating
Over the last few years, researchers have found a shocking number of vulnerabilities in seemingly basic code that underpins how devices communicate with the Internet. Now, a new set of nine such vulnerabilities are exposing an estimated 100 million devices worldwide, including an array of Internet-of-things products and IT management servers. The larger question researchers are scrambling to answer, though, is how to spur substantive changes—and implement effective defenses—as more and more of these types of vulnerabilities pile up.
Dubbed Name:Wreck, the newly disclosed flaws are in four ubiquitous TCP/IP stacks, code that integrates network communication protocols to establish connections between devices and the Internet. The vulnerabilities, present in operating systems like the open source project FreeBSD, as well as Nucleus NET from the industrial control firm Siemens, all relate to how these stacks implement the “Domain Name System” Internet phone book. They all would allow an attacker to either crash a device and take it offline or gain control of it remotely. Both of these attacks could potentially wreak havoc in a network, especially in critical infrastructure, health care, or manufacturing settings where infiltrating a connected device or IT server can disrupt a whole system or serve as a valuable jumping-off point for burrowing deeper into a victim’s network.
All of the vulnerabilities, discovered by researchers at the security firms Forescout and JSOF, now have patches available, but that doesn’t necessarily translate to fixes in actual devices, which often run older software versions. Sometimes manufacturers haven’t created mechanisms to update this code, but in other situations they don’t manufacture the component it’s running on and simply don’t have control of the mechanism.
coordinated disclosure of the flaws with developers releasing patches, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and other vulnerability-tracking groups. Similar flaws found by Forescout and JSOF in other proprietary and open source TCP/IP stacks have already been found to expose hundreds of millions or even possibly billions of devices worldwide.
Issues show up so often in these ubiquitous network protocols because they’ve largely been passed down untouched through decades as the technology around them evolves. Essentially, since it ain’t broke, no one fixes it.
“For better or worse, these devices have code in them that people wrote 20 years ago—with the security mentality of 20 years ago,” says Ang Cui, CEO of the IoT security firm Red Balloon Security. “And it works; it never failed. But once you connect that to the Internet, it’s insecure. And that’s not that surprising, given that we’ve had to really rethink how we do security for general-purpose computers over those 20 years.”
notorious at this point, and it’s one that the security industry hasn’t been able to quash, because vulnerability-ridden zombie code always seems to reemerge.
“There are lots of examples of unintentionally recreating these low-level network bugs from the ’90s,” says Kenn White, co-director of the Open Crypto Audit Project. “A lot of it is about lack of economic incentives to really focus on the quality of this code.”
There’s some good news about the new slate of vulnerabilities the researchers found. Though the patches may not proliferate completely anytime soon, they are available. And other stopgap mitigations can reduce the exposure, namely keeping as many devices as possible from connecting directly to the Internet and using an internal DNS server to route data. Forescout’s Costante also notes that exploitation activity would be fairly predictable, making it easier to detect attempts to take advantage of these flaws.
When it comes to long-term solutions, there’s no quick fix given all the vendors, manufacturers, and developers who have a hand in these supply chains and products. But Forescout has released an open source script that network managers can use to identify potentially vulnerable IoT devices and servers in their environments. The company also maintains an open source library of database queries that researchers and developers can use to find similar DNS-related vulnerabilities more easily.
“It’s a widespread problem; it’s not just a problem for a specific kind of device,” Costante says. “And it’s not only cheap IoT devices. There’s more and more evidence of how widespread this is. That’s why we keep working to raise awareness.”
This story originally appeared on wired.com.