In the last Within a few years, researchers discovered a shocking number of vulnerabilities in seemingly basic code that underlies the way devices communicate with the Internet. Today, a new set of nine such vulnerabilities exposes approximately 100 million devices worldwide, including a range of Internet of Things products and IT management servers. The biggest question researchers are grappling with, however, is how to bring about substantial change – and implement effective defenses – as more and more of these types of vulnerabilities pile up.
Double Name: wreck, the newly revealed flaws lie in four ubiquitous TCP / IP stacks, code that integrates network communication protocols to establish connections between devices and the Internet. The vulnerabilities, present in operating systems like the open source project FreeBSD, as well as Nucleus NET from the industrial control company Siemens, are all linked to the way in which these stacks implement the Internet “Domain Name System” directory. They would all allow an attacker to crash a device and take it offline or take control of it remotely. Both of these attacks could potentially wreak havoc in a network, especially in critical infrastructure, healthcare, or manufacturing environments where infiltration of a connected device or computer server can disrupt an entire system or serve a precious starting point to burrow deeper into the victim. network.
All of the vulnerabilities, discovered by researchers at security companies Forescout and JSOF, now have patches available, but that doesn’t necessarily translate into patches in real devices, which often run older versions of software. Sometimes manufacturers haven’t created mechanisms to update this code, but in other situations, they don’t manufacture the component it runs on and just don’t have control of the mechanism.
“With all of these findings, I know it may seem like we’re just raising issues, but we’re really trying to raise awareness, work with the community and find ways to fix it,” says Elisa Costante, vice president of research at Forescout, who has done other similar research as part of an effort he calls Project Memoria. “We analyzed over 15 both proprietary and open source TCP / IP stacks and found that there is no real difference in quality. But these commonalities are also helpful, as we found that they have similar weak points. When we analyze a new stack, we can go and look at those same places and share these common issues with other researchers as well as developers. “
Researchers have yet to see any evidence that attackers actively exploit these types of vulnerabilities in nature. But with hundreds of millions, if not billions, of devices potentially affected by many different discoveries, exposure is significant.
Siemens chief cybersecurity officer Kurt John told WIRED in a statement that the company “is working closely with governments and industry partners to mitigate vulnerabilities … In this case, we are happy to have worked with one of these partners, Forescout, to quickly identify and mitigate the vulnerability. . “
Researchers coordinated the disclosure of the flaws with the release by the developers patches, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and other vulnerability monitoring groups. Similar faults found by Forescout and JSOF in other proprietary and open source software TCP / IP stacks have already been discovered to exhibit hundreds of millions, if not billions of devices around the world.
The problems appear so often in these ubiquitous network protocols, as they have been largely transmitted intact over the decades as the technology around them evolves. Basically, since it’s not broken, no one is fixing it.
“For better or worse, these devices contain code that people wrote 20 years ago – with the security mindset of 20 years ago,” says Ang Cui, CEO of security company IoT Red Balloon Security. “And it works, it has never failed. But once you connect to the internet it’s not secure and not that surprising given that we’ve had to really rethink the way we keep general purpose computers safe over the past 20 years. .