Over the last In a few years, researchers have found a shocking number of vulnerabilities in the seemingly basic codes that underlie the way devices communicate with the Internet. Now, a new set of nine such vulnerabilities exposes about 100 million devices worldwide, including a range of Internet-of-Things products and IT management servers. The broader question that researchers are struggling to answer, however, is how to stimulate substantive change – and implement effective defenses – as more and more of these types of vulnerabilities accumulate.
Dubbed name: wreck, recently revealed flaws are in four ubiquitous TCP / IP stacks, code that integrates network communication protocols to establish connections between devices and the Internet. The vulnerabilities, present in the operating systems such as the open source project FreeBSD, as well as Nucleus NET from the industrial control company Siemens, all refer to the way in which these stacks implement the “Domain Name System” phonebook on the internet. All would allow an attacker to block a device and take it offline or gain remote control. Both attacks could wreak havoc on a network, especially in critical infrastructure, healthcare, or manufacturing settings where the infiltration of a connected device or IT server can disrupt an entire system or serve as a valuable leap to go deeper into a victim’s network.
All vulnerabilities, discovered by researchers at security firms Forescout and JSOF, now have patches available, but this does not necessarily translate into fixes in real devices, which often run older versions of the software. Sometimes manufacturers have not created mechanisms to update this code, but in other situations they do not manufacture the component on which they run and simply do not have control of the mechanism.
“Despite all these findings, I know it may seem like we’re just bringing problems to the table, but we’re really trying to raise awareness, work with the community and find ways to address it,” said Elisa Costante, vice president of research at Forescout, who he did other similar research through an effort he called Project Memory. “We analyzed more than 15 TCP / IP stacks, both proprietary and open source, and we found that there is no real difference in quality. But these common elements are also useful because we have found that they have similar weaknesses. When we look at a new stack, we can go and look in the same places and share common issues with other researchers as well as developers. ”
Researchers have not yet seen evidence that attackers are actively exploiting these types of vulnerabilities in nature. But with hundreds of millions – maybe billions – of devices potentially affected by many different discoveries, the exposure is significant.
Siemens chief cybersecurity officer Kurt John told WIRED in a statement that the company “works closely with governments and industry partners to mitigate vulnerabilities … In this case, we are pleased to have worked with such a partner.” , Forescout, to quickly identify and mitigate the vulnerability. . “
The researchers coordinated the disclosure of the flaws with the developers that release the patches, the Cyber Security and Infrastructure Security Agency of the Department of Homeland Security and other vulnerability monitoring groups. Similar shortcomings found by Forescout and JSOF in other proprietary and open source TCP / IP stacks have already been found to expose hundreds of millions or even billions of devices worldwide.
Problems occur so often in these ubiquitous network protocols because they have been largely transmitted untouched over the decades as the technology around them evolves. In essence, since it is not broken, no one fixes it.
“For better or worse, these devices have code written in them by people 20 years ago – with the security mindset of 20 years ago,” says Ang Cui, CEO of IoT Red Balloon Security. . “And it works; he never failed. But once you connect that to the internet, it’s uncertain. And this is not so surprising, given that we have had to really rethink how we ensure the security of general-purpose computers in these 20 years. ”