Skip to main content

Millions of IoT devices could be vulnerable to these unfixable security bugs

IoT devices
(Image credit: Shutterstock)

IoT devices may in fact end up being the asbestos of the future after all as new research from Forescout has revealed that there are 33 new memory-corrupting vulnerabilities which affect millions of connected devices around the world.

These flaws impact four open source TCP/IP stacks (uIP, PicoTCP, FNET, and Nut/Net) which serve as the foundational components of millions of connected devices including smart home sensors and lights, barcode readers, building automation systems, enterprise network equipment and even industrial control systems. 

Researchers at Forescout will present their findings on these new vulnerabilities, which they have dubbed Amnesia:33, at this year's Black Hat Europe security conference. The researchers estimate that millions of devices from over 150 vendors likely contain the vulnerabilities that could expose embedded devices to denial of service attacks, remote code execution, information leak, DNS cache poisioning and even total takeover.

To make matters worse, patching all of the affected devices will be near impossible as they're all built on open source stacks that have been modified and republished multiple times over the years.

Amnesia:33

Using open source software components can certainly have its benefits but in this case, it will be extremely difficult for IoT device manufacturers to patch their products and distribute these updates to users.

VP of research at Forescout Elisa Costante provided further insight on the potential impact of Amnesia:33 to Wired, saying:

"What scares me the most is that it’s very difficult to understand how big the impact is and how many more vulnerable devices are out there. These vulnerable stacks are open source, so everybody can take them and use them and you can document it or not. The 150 we have so far are the ones we could find that were documented. But I'm sure there are tons and tons of other vulnerable devices that we just don't know about yet."

By exploiting any of the Amnesia:33 vulnerabilities, an attacker could take full control of a connected device and use it as an entry point on a network, a pivot point for lateral movement, a persistence point on the target network or as the final target of an attack.

Enterprise organizations are at risk from Amnesia:33 as they could have their corporate networks compromised while consumers could see their IoT devices used as part of a botnet without their knowledge due to an attacker exploiting these vulnerabilities. At this time though, it's still difficult to gauge the full impact of Amnesia:33 because the vulnerable stacks are so wide spread, highly modular and are often incorporated in embedded components such as systems-on-a-chip (SoCs) used by device manufacturers.

We'll likely find out more about the full impact of Amnesia:33 once Forescout presents its findings at Black Hat Europe and others in the cybersecurity community begin their own investigations into the matter.

Via Wired