During the last a few years back, researchers have found a staggering number of vulnerabilities in a seemingly basic code that underpins the way devices communicate with the Internet. Now, a whole new set of such vulnerabilities exposes approximately 100 million devices worldwide, including a number of Internet-of-Things products and IT management servers. The biggest question that researchers ask themselves to answer, however, is how to stimulate substantial changes — and implement effective defenses — as these types of vulnerabilities accumulate.
Named: Wreck, the recently reported flaws are found in four ubiquitous TCP / IP stacks, code that integrates network communication protocols to establish connections between devices and the Internet. The vulnerabilities, present in operating systems such as the open source project FreeBSD, as well as Nucleus NET of the industrial control company Siemens, are related to the way in which these batteries implement the Internet telephone directory “Domain Name System”. All would allow an attacker to fail a device and disconnect it or gain control of it remotely. These attacks can wreak havoc on a network, especially in critical infrastructure, healthcare, or manufacturing configurations, where infiltrating a connected device or IT server can disrupt an entire system or serve as a valuable starting point. to delve into a network of the victim.
All vulnerabilities, discovered by researchers at security companies Forescout and JSOF, now have patches available, but this does not necessarily translate into fixes on real devices, which often run older versions of software. Sometimes manufacturers have not created mechanisms to update this code, but in other situations they do not manufacture the component on which it runs and simply do not have control of the mechanism.
“With all of these findings, I know it may seem like we’re just putting problems on the table, but we’re really trying to raise awareness, work with the community, and figure out ways to fix it,” says Elisa Costante, vice president of research at Forescout, who has done other similar research through an effort he calls Project Memory. “We have analyzed more than 15 TCP / IP stacks both proprietary and open source and we have discovered that there are no real differences in quality. But these points in common are also useful, as we have found them to have similar weaknesses. When we analyze a new stack, we can look at these same sites and share those common problems with other researchers and developers. ”
Researchers have yet to see evidence that attackers are actively exploiting such vulnerabilities in freedom. But with hundreds of millions (perhaps billions) of devices potentially affected in numerous different findings, the exposure is significant.
Siemens cybersecurity manager Kurt John told WIRED in a statement that the company “works closely with governments and industry partners to mitigate vulnerabilities … In this case we are pleased to have partnered with a of these partners, Forescout, to identify and mitigate the vulnerability quickly. “
Investigators coordinated the disclosure of the flaws with developers who released patches, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency and other vulnerability monitoring groups. Similar flaws found by Forescout and JSOF in other proprietary and open source TCP / IP stacks have already been found exposing hundreds of millions or even billions of devices worldwide.
Problems appear so often in these ubiquitous network protocols, as they have been largely transmitted for decades as the technology around them evolves. Essentially, since it doesn’t break, no one fixes it.
“For better or worse, these devices have code that people wrote 20 years ago, with the security mindset of 20 years ago,” says Ang Cui, CEO of IoT security firm Red Balloon Security. “And it works; never failed. But once you connect it to the internet, it’s insecure. And this is not surprising, since we have had to rethink how we do the security of the computers of general use during these 20 years ”.