A set of flaws in a widely used network communication protocol that could affect millions of devices was revealed Monday by security researchers.
The nine vulnerabilities discovered by Forescout Research Labs and JSOF Research dramatically increase the attack surface of at least 100 million Internet of Things devices, exposing them to potential attacks that could take the devices offline or to be hijacked by threat actors.
“History has shown that controlling IoT devices can be an effective tactic to launch DDoS attacks,” said Rohit Dhamankar, vice president for threat intelligence products at Alert Logic, an application and infrastructure security company in Houston.
“As the IoT devices get richer in functionality, it is possible for them to be under an attacker’s control, just like servers or desktops can be, and they can be further exploited to be beachheads in enterprise breaches,” he told TechNewsWorld.
Called Name:Wreck, the vulnerability set affects four popular TCP/IP stacks — FreeBSD, Nucleus NET, IPnet and NetX.
The researchers explained in a blog that Nucleus NET is part of Nucleus RTOS, a real-time operating system used by more than three billion devices, including ultrasound machines, storage systems, critical systems for avionics and others.
FreeBSD, the researchers noted, is widely used by high-performance servers in millions of IT networks and is also the basis for other well-known open-source projects, such as firewalls and several commercial network appliances.
They added that NetX is usually run by the ThreadX RTOS, which had 6.2 billion deployments in 2017 and can be found in medical devices, systems-on-a-chip and several printer models.
“Organizations in the healthcare and government sectors are in the top three most affected for all three stacks,” the researchers wrote. “If we conservatively assume that one percent of the more than 10 billion deployments discussed above are vulnerable, we can estimate that at least 100 million devices are impacted by Name:Wreck.”
Powerful Attack Vector
Security experts told TechNewsWorld that TCP/IP attacks can be particularly powerful.
“TCP/IP is the software that actually does all the communication from the device to other systems,” explained Gary Kinghorn, marketing director for Tempered Networks, a micro-segmentation company in Seattle.
“If it’s a network-based attack — as opposed to inserting a thumb drive in a USB port — you have to go through TCP/IP,” he said. “Corrupting the TCP/IP software to allow for vulnerabilities or exploiting errors in the design is the foundation of most attacks.”
Attacks on the TCP/IP stack can also circumvent some elementary security protections.
“Anytime you have an attack on TCP/IP and you don’t need a username or password, it’s easier to execute the attack,” observed Dhamankar.
“TCP/IP vulnerabilities are powerful because they can be exploited remotely over the Internet or on an intranet without having to subvert other security mechanisms like authentication,” added Bob Baxley, CTO of Bastille Networks, of San Francisco, a provider of threat detection and security for the Internet of Things.
In addition, once a device is compromised, there may be a bonus for a TCP/IP attacker. “In most cases, the code of TCP/IP stacks runs with high privileges, so any code execution vulnerability would allow an attacker to get significant privileges on the device,” said Asaf Karas, cofounder and CTO of Vdoo, a provider of security automation for embedded devices in Tel Aviv, Israel.
Although some of the vulnerabilities aired by the researchers can be fixed, the process can be problematic.
Baxley noted that patches have been released for FreeBSD, Nucleus NET and NetX.
“For the end devices that use those stacks, patching is theoretically possible,” he said. “But, in practice, many of the vulnerable systems are IoT devices running real-time operating systems that are not on a normal patch schedule and are unlikely to receive a patch.”
“IoT devices are usually handled with a ‘deploy and forget’ approach and are often only replaced after they fail or reach the end of their serviceability,” added Jean-Philippe Taggart, a senior security researcher at Malwarebytes.
“That isn’t a very effective approach,” he told TechNewsWorld.
Age can be another problem for IoT devices. “These systems can be patched, but they are generally very old implementations that may be used for scenarios they weren’t envisioned for,” Kinghorn observed.
“They are vulnerable based on their sheer complexity and inability to easily identify risks,” he continued. “It’s more often the case that hackers can exploit them before they are patched.”
“It has always been very hard to patch IoT vulnerabilities,” added Dhamankar.”It’s hard enough to get server and desktop vulnerabilities patched.”
Even without patches, there are ways to protect a network from exploiters of the vulnerabilities found by the Forescout and JSOF researchers.
Baxley explained that to exploit the Name:Wreck vulnerabilities, an attacker has to reply to a DNS request from the target device with a spoofed packet that has the malicious payload. To accomplish this, an attacker will need network access to the target device.
“Keeping devices, especially IoT devices, segmented from the Internet and core internal networks is one mechanism to mitigate the risk of exposure,” he said.
Monitoring DNS can also help defend against Name:Wreck. “Monitoring DNS activity in the environment and flagging any external DNS server activity is a good step,” Dhamankar observed.
“In general,” he added, “DNS is a great source to monitor for compromises with security analytics.”
Beefed-up access management can also thwart attackers. “If the system itself can’t be patched, and this may be the case for aging industrial control systems or other OT network devices and IoT endpoints, it’s important to ensure that the network only allows secure, trusted traffic to these devices,” Kinghorn explained.
“This is where Zero Trust designs can help, ensuring that only authorized devices can access these vulnerable systems,” he continued. “It can also help to continuously monitor and analyze traffic to those devices to ensure that potentially malicious or suspicious traffic is not reaching it.”
“IoT as a whole is a hotspot for security,” added Chris Morales, CISO of Netenrich,a security operations center services provider in San Jose, Calif.
“Weak passwords and hard-coded user accounts, lack of patching and outdated components, these latest vulnerabilities are just more for the stack of insecurity that is IoT,” he told TechNewsWorld.