100 million more IoT devices are exposed – and they won’t be the last


Elena Lacey

In recent years, researchers have found a shocking number of vulnerabilities in seemingly simple code that help devices communicate with the Internet. A new set of nine such vulnerabilities will reveal an estimated 100 million devices worldwide, including a number of Internet of Things products and IT management servers. The bigger question researchers are trying to answer, however, is how to drive significant changes and take effective countermeasures as these types of vulnerabilities become more and more common.

Dubbed name: Wrack, the newly uncovered bugs reside in four ubiquitous stacks of TCP / IP, code that incorporates network communication protocols to establish connections between devices and the Internet. The weaknesses in operating systems such as the open source project FreeBSD and Nucleus NET of the industrial control company Siemens are all related to how these stacks implement the Internet telephone directory “Domain Name System”. All of them would allow an attacker to either crash a device and take it offline or control it remotely. Both of these attacks can potentially wreak havoc on a network, especially in critical infrastructure, healthcare, or manufacturing environments, where infiltration of a connected device or IT server can disrupt an entire system or serve as a valuable starting point for digging into a network Network of the victim.

All vulnerabilities discovered by researchers from security firms Forescout and JSOF are now patched. However, this does not necessarily lead to fixes on actual devices, which are often running older software versions. Sometimes manufacturers haven’t built mechanisms to update this code, but in other situations they don’t make the component they run on and simply have no control over the mechanism.


“With all of this in mind, it may seem like we’re just bringing problems to the table, but we’re really trying to raise awareness, work with the community, and find ways to address this,” says Elisa Costante. Vice President of Research at Forescout who has done other, similar research on a project called Project Memoria. “We analyzed more than 15 TCP / IP stacks, both proprietary and open source, and found that there was no real difference in quality. However, these similarities are also helpful because we have found that they have similar vulnerabilities. When we analyze a new batch, we can look at the same places and share these common problems with other researchers and developers. “

The researchers have not yet seen any evidence that attackers are actively exploiting these types of vulnerabilities in the wild. But with hundreds of millions – maybe billions – of devices potentially affected by many different conditions, the exposure is significant.

Kurt John, Siemens USA’s chief cybersecurity officer, told Wired in a statement that the company “works closely with governments and industry partners to mitigate vulnerabilities. In this case, we are pleased to have worked with such a partner, Forescout, to quickly identify the weak points and mitigate vulnerability. “

Researchers coordinated the disclosure of the flaws with developers who released patches, the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, and other vulnerability tracking groups. Similar bugs that Forescout and JSOF found in other proprietary and open source TCP / IP stacks have exposed hundreds of millions, and possibly even billions, of devices worldwide.

Problems are so common in these ubiquitous network protocols because they have been passed down largely untouched for decades as technology evolves around them. Since it isn’t broken, essentially no one will fix it.

“Good or bad, these devices contain code that people wrote 20 years ago – with the security mindset from 20 years ago,” said Ang Cui, CEO of IoT security company Red Balloon Security. “And it works; it never failed. But as soon as you connect that to the internet, it’s unsafe. And that’s not surprising, since over these 20 years we’ve really had to rethink how we keep general purpose computers safe.”


The problem is notorious at this point and the security industry has not been able to fix it as the vulnerable zombie code seems to keep popping up.

“There are many examples of the inadvertent recreation of these low-level network bugs from the 1990s,” said Kenn White, co-director of the Open Crypto Audit Project. “Many of them are about the lack of economic incentives to really focus on the quality of this code.”

There is some good news about the new vulnerabilities that the researchers found. Although the patches may not reproduce completely as quickly, they are available. Other vulnerabilities can reduce exposure by preventing as many devices as possible from connecting directly to the Internet and passing data through an internal DNS server. Forescouts Costante also notes that exploitative activities would be fairly predictable, making it easier to spot attempts to exploit these shortcomings.

When it comes to long-term solutions, there is no quick fix for all of the vendors, manufacturers and developers involved in these supply chains and products. However, Forescout has released an open source script that network managers can use to identify potentially vulnerable IoT devices and servers in their environments. The company also maintains an open source library of database queries that help researchers and developers find similar DNS-related vulnerabilities.

“It’s a common problem. This isn’t just a problem for one type of device, ”says Costante. “And it’s not just cheap IoT devices. There is growing evidence of how widespread this is. That is why we continue to work on raising awareness. “

This story originally appeared on


Steven Gregory