December 6, 2021

robertlpham

Just another WordPress site

Critical Flaws in Millions of IoT Devices May Never Get Fixed

Yes, at this point it’s a cliché that cheap, generic internet-of-things products can harbor vulnerabilities that potentially expose millions or even billions of devices. And yet it’s no less urgent each time. Now, new research from the IoT security firm Forescout highlights 33 flaws in an open source internet protocol bundles that potentially expose millions of embedded devices to attacks like information interception, denial of service, and total takeover. The affected devices run the gamut: smart home sensors and lights, barcode readers, enterprise network equipment, building automation systems, and even industrial control equipment. They’re difficult if not impossible to patch—and introduce real risk that attackers could exploit these flaws as a first step into a vast array of networks.

At the Black Hat Europe security conference on Wednesday, Forescout researchers will detail the vulnerabilities found in seven open source TCP/IP stacks, the collection of network communication protocols that broker connections between devices and networks like the internet. The group estimates that millions of devices from more than 150 vendors likely contain the vulnerabilities, which they collectively call Amnesia:33.

The seven stacks are all open source and have been modified and republished in many forms. Five of the seven have been around for nearly 20 years, and two have circulated since 2013. That longevity means that there are many versions and variations of each stack out there with no central authority to issue patches. And even if there were, manufacturers who have incorporated the code into their products would need to proactively adopt the correct patch for their version and implementation, then distribute it to users.

“What scares me the most is that it’s very difficult to understand how big the impact is and how many more vulnerable devices are out there,” says Elisa Costante, vice president of research at Forescout. “These vulnerable stacks are open source, so everybody can take them and use them and you can document it or not. The 150 we have so far are the ones we could find that were documented. But I’m sure there are tons and tons of other vulnerable devices that we just don’t know about yet.”

published here
check
discover this
from this source
basics
read what he said
visit the site
browse around this web-site
visit this site
link
click for source
click this link now
blog
why not look here
more information
look at these guys
site link
helpful hints
pop over to this web-site
go to my site
see this page
browse around this website
view website
my sources
webpage
Discover More Here
Learn More Here
company website
click for info
Read Full Article
his response
click over here
take a look at the site here
more tips here
helpful resources
check out this site
look at this website
have a peek at this site
the original source
Continue
visit our website
visit this website
go to this website
pop over here
Home Page
Recommended Reading
these details
advice
try these out
check my reference
her comment is here
useful link
Resources
hop over to here
click this link here now
blog link
Continue eading
Click Here
Clicking Here
Go Here
Going Here
Read This
Read More
Find Out More
Discover More
Learn More
Read More Here
Discover More Here
Learn More Here
Click This Link
Visit This Link
Homepage
Home Page
Visit Website
Website
Web Site
Get More Info
Get More Information
This Site
More Info

Even worse, in many cases it wouldn’t actually be feasible for device makers themselves to push patches even if they wanted to or could. Many vendors get basic functionality like the TCP/IP stack from the “systems on a chip” provided by third-party silicon makers, who would need to be involved in a fix as well. And it’s far from a given that many of these parties would even have a way to deliver a patch. In some instances, for example, Forescout researchers found that vulnerabilities in a diverse array of devices could all be traced to one systems-on-a-chip maker that went bankrupt and is no longer in business.

“These situations are just such a ridiculous mess, I don’t know what else to say about it,” says Ang Cui, a longtime IoT hacker and CEO of the embedded security firm Red Balloon Security. “You can say, ‘Well IoT security is bad, it’s not a surprise.’ But there’s a real cumulative risk with each of these types of big, systemic revelations, and it may feel like a big surprise to most people when attackers come along and start actually exploiting them. We need to do better on securing these products.”

Many of the vulnerabilities the Forescout researchers found are basic programming oversights, like a lack of so-called input validation checks that keep a system from accepting problematic values or operations. Think about a calculator that produces an error when you try to divide by zero instead of crashing from the strain of trying to figure out how to do it. Many of the bugs are “memory corruption” flaws—hence the name Amnesia:33—that allow an attacker to read data from a device’s memory or add data to it such that they can exfiltrate information, crash the device at will, or take control. Some of the vulnerabilities also relate to internet connectivity mechanisms. like how the stack handles domain-name-system records and internet protocol addressing like IPv4 and the more recent IPv6.