Yes, at this point it's a cliche that cheap, generic internet of things products can harbor vulnerabilities that potentially expose millions or even billions of devices. And yet it's no less urgent each time. Now, new research from the IoT security firm Forescout highlights 33 flaws in an open source internet protocol that potentially exposes millions of embedded devices to attacks like information interception, denial of service, and total takeover. The affected devices run the gamut: smart home sensors and lights, barcode readers, enterprise network equipment, building automation systems, and even industrial control equipment. They're difficult if not impossible to patch—and introduce real risk that attackers could exploit these flaws as a first step into a vast array of networks.
At the Black Hat Europe security conference on Wednesday, Forescout researchers will detail the vulnerabilities found in seven open source "TCP/IP stacks," the collection of network communication protocols that broker connections between devices and networks like the internet. The group estimates that millions of devices from more than 150 vendors likely contain the vulnerabilities, which they collectively call Amnesia:33.
The seven stacks are all open source and have been modified and republished in many forms. Five of the seven have been around for nearly 20 years, and two have circulated since 2013. That longevity means that there are many versions and variations of each stack out there with no central authority to issue patches. And even if there were, manufacturers who have incorporated the code into their products would need to proactively adopt the correct patch for their version and implementation, then di ..
Support the originator by clicking the read the rest link below.
