100 Million Devices Vulnerable and Likely Never Patched

What could go wrong?

As we rush headlong to deploy billions of Internet of Things devices with no regard to security, that doesn’t make security problems go away.

Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices.

And, like all good vulnerabilities, it has a catchy name: NAME: WRECK.

While this particular bug does affect a lot of IoT devices, it also affects servers.  

The servers are likely to get patched relatively quickly.

The IoT devices?  Well, when was the last time you patched your TV?

Oh, yeah, these vulnerabilities also affect industrial control equipment – like maybe your local water treatment plant or your local electric utility.

According to the researchers at Forescout and JSOF, the bug affects the following TCP stacks:

FreeBSD – this one used used by a whole lot of servers and will get fixed very quickly.

IPNet (AKA VxWorks 6.6) – used the the real time VxWorks operating system, which is used in a lot of Internet of Things devices.

NetX – Part of the ThreadX real time OS.  It is open source, but maintained by Microsoft as the Azure Real Time OS.  

Nucleus Net – Part of the nucleus OS maintained by a division of Siemens.  It is used in medical devices, industrial control, aerospace, consumer devices and IoT devices.

Hackers who can exploit these bugs can take over the devices.  That means they could, potentially, disable alarm systems, mess with a water treatment plant or make all the elevators in a high rise office go crazy (they won’t likely crash;  that is controlled by a different system).  If the vulnerable software runs a city’s traffic lights, it could , possibly, turn all the lights red.  Or all green.

These are all speculative, but if the hackers control the system, they could do almost anything and even lock the real owners out of the system.

It looks like most of these software packages are maintained.  By big companies – Microsoft.  Siemens.  And while FreeBSD is not commercial it is super maintained.

The problem is this.

DO YOU EVEN KNOW IF THE SYSTEMS IN YOUR COMPANY ARE RUNNING THIS SOFTWARE?  BY SYSTEMS I MEAN THAT CAMERA IN THE CORNER THAT YOU BOUGHT SOMEWHERE FIVE YEARS AGO OR THAT COOL NEW COFFEE MAKER WITH AN APP ON YOUR PHONE OR YOUR TV OR THE AIR CONDITIONING SYSTEM OR WHATEVER.

That is the problem.  The vast majority of these devices will never be patched.  Because people don’t even know they are vulnerable.  Some of those devices will be harmless, but others not so much.

Without a software bill of materials no one know what TCP/IP software is used in that smart TV.  Do you get the idea?

One thing that you can do is a really strong job of segmenting your network.  If you need help with that, contact us.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code