Researchers discover 33 vulnerabilities affecting 'millions' of IoT, smart home devices

Posted:
in General Discussion
Cybersecurity researchers have discovered a slew of vulnerabilities included in foundational, open source software used in "millions" of smart home and IoT devices.

Credit: Malcolm Owen, AppleInsider
Credit: Malcolm Owen, AppleInsider


The 33 vulnerabilities, disclosed by cybersecurity firm Forescout, impact four open source TCP/IP stacks that are used in devices created by more than 150 vendors. Together, the 33 vulnerabilities, which include four critical security flaws, are dubbed "AMNESIA:33."

According to Forescout, the vulnerabilities cause memory corruption, which could allow attackers to compromise devices, execute malicious code, steal sensitive information, and perform denial-of-service attacks.

Most of the affected devices are consumer-facing products like remote temperature sensors and cameras. However, they can range from simple smart plugs and office routers, to industrial control system components and healthcare appliances.

The seriousness of the flaws, as well as their widespread nature, lead the Cybersecurity and Infrastructure Security Agency to issue a bulletin advising users and manufacturers of the threat. It recommended defensive measures such as removing critical infrastructure from the internet.

Despite the potential for exploitation, CISA noted that there does not appear to be any active public exploits specifically targeting these vulnerabilities in the wild.

However, one of the worrying aspects of the vulnerabilities is the fact that they exist in open source software, Forescout said. That could mean addressing them much more difficult, since open source software is often maintained by volunteers and some of the vulnerable code is two decades old.

It'll be up to device manufacturers to identify and patch the vulnerabilities. Though, because some of the compromised code exists in a third-party component, the component's use must have been documented for device makers to know that it's there.

Forescout alerted U.S., German, and Japanese cybersecurity authorities in addition to as many of the device vendors that it could.

A full list of the affected devices has yet to be released. The list is said to include Siemens, Genetec, Devolo, NT-Ware, Microchip, and Nanotec.

It's recommended that users with smart home devices check the manufacturer's website for the latest patch and security information. Beyond that, it'll mostly be up to manufacturers to mitigate and resolve the issue.

Apple's HomeKit protocol itself isn't affected by the security flaws. However, many devices utilize more than one networking protocol or have multiple home automation system compatibilities, and as such, may be vulnerable to attack should one manifest.

Comments

  • Reply 1 of 18
    Is anyone with even half a clue about IT surprised by this sort of thing?
    I decided a long time ago that I'd not be having any IoT [redacted] kit in my home. To me, they are a disaster waiting to happen.
    I'm sure that it won't be very long before your home insurance company starts demanding to know if you have things like Smart Doorbells with camera's etc installed. Watch out for insurance rates to rise accordingly.
    magman1979dysamoriajony0
  • Reply 2 of 18
    Some are more insecure than others. But they have hardly any penetration into homes (total population in the US that has smart devices is what?) Insurance companies won't really care if you have a doorbell cam for a very long time. And most people's garbage is a bigger security risk unless you have gone full nuts and shred everything and remove your finger prints from soda cans. And what about ANY Amazon device? Smart speakers, and 'internet ready' TV's are the worst culprits for poor network security measures.
    watto_cobra
  • Reply 3 of 18
    maestro64maestro64 Posts: 5,005member
    Okay I get using IoT devices to initiate a DOS attach, beyond this not sure how dangerous they can be, unless they going to unplug themselves and attack me.

    However, not sure most of my IoT devices can tell anyone about me, most do not require any sort of login credential the ones that do, i use a throw away email account and a randomly made up password. All my computer on my home network are macs and we know how hard it is to hack them unless you have direct access to the computer. 

    Yes in theory they can do all kinds of things under perfect circumstance, but in reality does anyone know if they will take over your home and make you do things you not want to do. Seriously if my lights start blinking when they should not, the device is getting tossed or reset. 
    chasmwatto_cobra
  • Reply 4 of 18
    DAalsethDAalseth Posts: 1,735member
    Is anyone with even half a clue about IT surprised by this sort of thing?
    I decided a long time ago that I'd not be having any IoT [redacted] kit in my home. To me, they are a disaster waiting to happen.
    I'm sure that it won't be very long before your home insurance company starts demanding to know if you have things like Smart Doorbells with camera's etc installed. Watch out for insurance rates to rise accordingly.
    I agree completely. The security of these is always been suspect. 
    To me there’s two kinds of IOT things though:
    Smart speakers, room cameras, and other surveillance devices. I don’t own any, and won’t.
    Then there’s things like smart light bulbs, thermostats, light fixtures, and such. I keep asking myself WHY they need to be connected to the internet? Seriously, though the potential for mischief is low, why? I can turn on our ceiling fan with a local remote. My thermostat is programmed, but it’s all internal, no outside data connection. The lights over my driveway come on when I get home. No internet, they are classic motion sensor lights that have been available for decades. I honestly don’t see the POINT of connecting most of these things to the web. I’m not going to be turning my living room lights on when I’m at work.

    And don’t get me started on how absurd things like internet connected refrigerators etc., are IMO. For reference to see who is at my front door I don’t have a doorbell with a camera, I have a window.

    edited December 2020 rotateleftbytedysamoria
  • Reply 5 of 18
    mike1mike1 Posts: 2,757member
    DAalseth said:
    Is anyone with even half a clue about IT surprised by this sort of thing?
    I decided a long time ago that I'd not be having any IoT [redacted] kit in my home. To me, they are a disaster waiting to happen.
    I'm sure that it won't be very long before your home insurance company starts demanding to know if you have things like Smart Doorbells with camera's etc installed. Watch out for insurance rates to rise accordingly.
    I agree completely. The security of these is always been suspect. 
    To me there’s two kinds of IOT things though:
    Smart speakers, room cameras, and other surveillance devices. I don’t own any, and won’t.
    Then there’s things like smart light bulbs, thermostats, light fixtures, and such. I keep asking myself WHY they need to be connected to the internet? Seriously, though the potential for mischief is low, why? I can turn on our ceiling fan with a local remote. My thermostat is programmed, but it’s all internal, no outside data connection. The lights over my driveway come on when I get home. No internet, they are classic motion sensor lights that have been available for decades. I honestly don’t see the POINT of connecting most of these things to the web. I’m not going to be turning my living room lights on when I’m at work.

    And don’t get me started on how absurd things like internet connected refrigerators etc., are IMO. For reference to see who is at my front door I don’t have a doorbell with a camera, I have a window.


    The devices you mention need to be connected to the internet for those who want to control them from outside the home. These devices add convenience and accessibility for some people. Not everyone has the same use cases as you do. If I want to see the cameras around my house, I need internet. If I want to unlock the door to let in the nurse taking care of an elderly relative, it needs an internet connection. Just because you have no need for it, doesn't mean nobody does.
    dewmechasmdysamoriajony0watto_cobra
  • Reply 6 of 18
    dewmedewme Posts: 3,834member
    This is an area that everyone should be aware of, but once you peel back one thin layer below the superficial coverage that finds its way to sites like this one, you really have to make a conscious decision about how deep you really want to dig. Understanding the size and scope of this problem can easily become one's life mission. If you truly believe that Amazon smart speakers or your video doorbell are real problems, even minuscule problems compared to say malicious telephone calls and human engineering scams, you are focusing on a tiny splat of bird poop on an iceberg. It's the iceberg that you should be worried about, especially concerns around the security of critical infrastructure and industrial control systems.

    I'm not saying you should close your eyes and ears and pretend that it will go away. I'm just saying that this particular topic is a huge and ongoing threat and that these discovery bulletins are being released all of the time, going back at least 16 years. You have to decide where to draw the line between awareness and fear. I know plenty of folks who have made this their life's mission and my hope is that their intense focus on this topic as a full time concern means that I can bias my actions around awareness and avoidance in areas that make sense for me at a personal level. All I can do is just keep asking the question, "What does this mean to me and what can I do about it?" So far the only consistently actionable answer, as stated in the article, is to keep all of your devices up to date with the latest firmware and software and be aware of the different types of human engineering scams and how they exploit particular human weaknesses.

    However, if you're tired of getting a reasonably good night's sleep and are hankering for a new source of stress in your life you can bookmark https://us-cert.cisa.gov in your browser and stay up to date on what's currently happening in a larger chunk of the cyber universe in which we live in, even if there isn't a whole lot you can do about it. 
    watto_cobra
  • Reply 7 of 18
    normangnormang Posts: 116member
    The fear-mongering is all the same, you see TV shows that use home devices as ploys for the hacker to do all sort of things, most of which are not remotely possible. 

    You can try and find relatively secure devices, but nothing is impregnable probably, there are devices that in general you may want to avoid..   But in all the years I've had smart devices, I can say that nothing has ever happened to where I think there was some sort of external intrusion.  My Thermostats have not frozen or overheated my home. My lights have not gone off or on by themselves.  My TV's have not gone off the deep end.  

    There is a variety of convenience in deploying these devices, done right, there is probably more of chance that something will go wrong with an appliance than your home being taken over by a hacker..

    edited December 2020 watto_cobra
  • Reply 8 of 18
    Anyone with a HomeKit network should not have any concerns. Your devices are sitting behind a router on a local IP subnet so there is no way for hackers to target your devices directly.  And HomeKit is secure. This is more on an issue for industrial settings where a device might be visible to the internet.
    magman1979chasmwatto_cobra
  • Reply 9 of 18
    MplsPMplsP Posts: 3,278member
    DAalseth said:
    Is anyone with even half a clue about IT surprised by this sort of thing?
    I decided a long time ago that I'd not be having any IoT [redacted] kit in my home. To me, they are a disaster waiting to happen.
    I'm sure that it won't be very long before your home insurance company starts demanding to know if you have things like Smart Doorbells with camera's etc installed. Watch out for insurance rates to rise accordingly.
    I agree completely. The security of these is always been suspect. 
    To me there’s two kinds of IOT things though:
    Smart speakers, room cameras, and other surveillance devices. I don’t own any, and won’t.
    Then there’s things like smart light bulbs, thermostats, light fixtures, and such. I keep asking myself WHY they need to be connected to the internet? Seriously, though the potential for mischief is low, why? I can turn on our ceiling fan with a local remote. My thermostat is programmed, but it’s all internal, no outside data connection. The lights over my driveway come on when I get home. No internet, they are classic motion sensor lights that have been available for decades. I honestly don’t see the POINT of connecting most of these things to the web. I’m not going to be turning my living room lights on when I’m at work.

    And don’t get me started on how absurd things like internet connected refrigerators etc., are IMO. For reference to see who is at my front door I don’t have a doorbell with a camera, I have a window.

    We have a cabin and have an eco bee thermostat connected to the internet. It lets me turn up the heat when we leave so the place is warm when we arrive - that's a convenience. I also have it set to alert me if the temperature drops below 50º so I can prevent the pipes from freezing. That's a safety and property protection issue. I also have door sensors set to alert me so I know if someone has broken in while we're gone.

    I installed a z-wave water sensor in our basement for the sump pump so I can tell if the pump has broken before our basement floods. 'Smart' lights also let us put a light switch in where there wasn't one pre-wired. There are other uses as well, but just because you don't see a use doesn't mean there isn't one.

    chasmwatto_cobra
  • Reply 10 of 18
    dewmedewme Posts: 3,834member
    loopless said:
    Anyone with a HomeKit network should not have any concerns. Your devices are sitting behind a router on a local IP subnet so there is no way for hackers to target your devices directly.  And HomeKit is secure. This is more on an issue for industrial settings where a device might be visible to the internet.
    Anyone who properly safeguards their security credentials and follows recommendations regarding passwords and authentication should not have any major concerns. HomeKit is no more or less vulnerable to breaches caused by failures of “people in the loop” than any other smart home platform. 

    Industrial automation systems are no different, all the firewalls, DMZs, air gaps, and even physical security systems put in place won’t save you from human induced screw ups. The widely discussed Stuxnet breach was caused by someone who had access inside the firewall and DMZ plugging an infected usb drive into their “secure” system. Likewise, some industrial systems are remarkably secure while other are far less so. Since Stuxnet the security posture across the industrial automation and control space has increased dramatically, mostly at the central control level, but there are many legacy challenges to deal with, especially at the individual device level because there are many millions of devices deployed, many of which have zero security. Fortunately many of these devices use obscure communication protocols, not IP based ones that are more difficult to secure. 
    edited December 2020 watto_cobra
  • Reply 11 of 18
    loopless said:
    Anyone with a HomeKit network should not have any concerns. Your devices are sitting behind a router on a local IP subnet so there is no way for hackers to target your devices directly.  And HomeKit is secure. This is more on an issue for industrial settings where a device might be visible to the internet.
    Nothing can be further from the truth.  Although HomeKit is the most secure IoT framework, there is still a security footprint that is open to attack.  Relying on a router for security (especially one that solely relies on NAT) is not the best option — there are many ways to attack through routers and firewalls.

    Vulnerabilities are found every day.  If the device manufacturer doesn’t have a monthly update cycle,  there are probably dozens of security vulnerabilities associated with these devices every year.


    dewmeMplsPexceptionhandler
  • Reply 12 of 18
    chasmchasm Posts: 2,396member
    apple-tx said:
    Nothing can be further from the truth.  Although HomeKit is the most secure IoT framework, there is still a security footprint that is open to attack.  Relying on a router for security (especially one that solely relies on NAT) is not the best option — there are many ways to attack through routers and firewalls.

    I'm calling (partial) BS on this. If you are using a HomeKit **only** devices (HomePod, HomePod mini, AppleTV ...) then that "security footprint that is open to attack" is so small as to be not worth the worry -- unless you're a high-value target, obviously. I have yet to hear of a report of any of these devices being successfully attacked*, though I'm always interested to be wrong if someone passes on a URL or information on that front.

    (*not counting obsolete Apple gear)

    Certainly I agree with you that "relying on routers for security is not the best option" unless you've taken steps to harden them from attack, and this is exactly why I think Apple is missing a great opportunity to trade on their security reputation and develop an all-encrypted router (the recent article about Apple working with Cloudflare gives me some hope on that). Nor do I trust appliances that offer HomeKit *and* other (likely far less secure) IoT protocols. There are a handful of third-party devices that exclusively use HomeKit (for secure video and other things), but until there is a universal standard of the quality of HomeKit I'm pretty leery of adding any non-Apple "smart home" devices.

    PS. People who can't imagine what a doorbell (or thermostat, et al) could possibly reveal about you that you'd care about ... I believe it's the Ring Doorbell that passes on your home's Wi-Fi network password to Amazon. Are you okay with that?
    edited December 2020 iqatedojony0watto_cobra
  • Reply 13 of 18
    Any home with enough buggy IoT devices hooked up to the internet is indistinguishable from a house haunted by a poltergeist.
    watto_cobra
  • Reply 14 of 18
    loopless said:
    Anyone with a HomeKit network should not have any concerns. Your devices are sitting behind a router on a local IP subnet so there is no way for hackers to target your devices directly.  And HomeKit is secure. This is more on an issue for industrial settings where a device might be visible to the internet.
    Anything that’s connected, directly or indirectly, is subject to getting hacked, and Apple devices are no exception. The most secure system in the world is hackable because of a simple bug nobody else saw.
  • Reply 15 of 18
    iqatedoiqatedo Posts: 1,724member
    Last I checked, Apple sells kitchen scales (third party obviously) that talk to an iPhone, which is the only means of accessing information. Initially, only the vendor software was required to connect to the scales. Now, an account with the vendor is required. Totally, totally unnecessary from the customer point of view. I queried Apple but received no response.
    edited December 2020 jony0watto_cobra
  • Reply 16 of 18
    dysamoriadysamoria Posts: 3,430member
    normang said:
    [...]
    There is a variety of convenience in deploying these devices, done right, there is probably more of chance that something will go wrong with an appliance than your home being taken over by a hacker..

    This is enough, all on its own, for me to reject this stuff. Software sucks. It’s almost universally flawed. I don’t need to add MORE software to my daily life. Adding unexpected vulnerabilities to outside assholes is not worth any convenience to me ON TOP of the already typical lack of reliability of software and utter lack of accountability from developers & product sellers.
  • Reply 17 of 18
    chasm said:
    apple-tx said:
    Nothing can be further from the truth.  Although HomeKit is the most secure IoT framework, there is still a security footprint that is open to attack.  Relying on a router for security (especially one that solely relies on NAT) is not the best option — there are many ways to attack through routers and firewalls.

    I'm calling (partial) BS on this. If you are using a HomeKit **only** devices (HomePod, HomePod mini, AppleTV ...) then that "security footprint that is open to attack" is so small as to be not worth the worry -- unless you're a high-value target, obviously. I have yet to hear of a report of any of these devices being successfully attacked*, though I'm always interested to be wrong if someone passes on a URL or information on that front.

    (*not counting obsolete Apple gear)

    Certainly I agree with you that "relying on routers for security is not the best option" unless you've taken steps to harden them from attack, and this is exactly why I think Apple is missing a great opportunity to trade on their security reputation and develop an all-encrypted router (the recent article about Apple working with Cloudflare gives me some hope on that). Nor do I trust appliances that offer HomeKit *and* other (likely far less secure) IoT protocols. There are a handful of third-party devices that exclusively use HomeKit (for secure video and other things), but until there is a universal standard of the quality of HomeKit I'm pretty leery of adding any non-Apple "smart home" devices.

    PS. People who can't imagine what a doorbell (or thermostat, et al) could possibly reveal about you that you'd care about ... I believe it's the Ring Doorbell that passes on your home's Wi-Fi network password to Amazon. Are you okay with that?
    There are so many things wrong with this.  First of all most routers built for the home cannot be hardened as the settings aren't available to the user.  Second, even hardened firewall/routers are exploitable.  If you do not believe this, the CIA/FBI/DoD and every major corporation that have hardened firewalls and routers are hacked all the time.  Hardening a system doesn't remove the security footprint, it reduces it.

    Also, there have been flaws found in home kit and home kit devices: https://www.theguardian.com/technology/2017/dec/08/apple-fixes-homekit-bug-remote-unlocking-doors-security-flaw-iphone-ipad-ios-112-smart-lock-home.  Here is the the update log to a philips hue hub (home kit compatible) and you will see security updates: https://www.philips-hue.com/en-us/support/release-notes/bridge.

    Most devices/computers that use uniform of TLS/SSL use Openssl.  Openssl has had some major security flaws the last few years (heartbleed was a huge one).  There were also major security flaws found in the protocols themselves: SSL 3.0 (poodle) and TLS 1.0 are considered too flawed for use now. Openssl security vulnerabilities: https://www.cvedetails.com/vulnerability-list/vendor_id-217/Openssl.html

    The point of this is every computing device has security flaws and a lot of these IoT devices use common open source software (apache/openssl) that aren't patched in regular intervals.  The goal of a hacker wouldn't be to take over your thermostat and control your temperature, the goal would be for the hacker to use your thermostat to take over your network.
  • Reply 18 of 18
    I’d like to add that I don’t trust these IoT devices, but do see value in their convenience. Which is why I don’t allow them access over the internet and have them segregated on their own network.  I do occasionally access them remotely over a personal vpn, which is the only way I’ve defined access to them.  While this may be more secure than what most are willing to do, this is predicated that there are no vulnerabilities in the vpn (client or server), router, firewalls, and any other network equipment.  Heck most people’s off the shelf wifi routers are just as hackable as these IoT devices.  All this to say, set things up properly, so you’re not the lowest hanging fruit, and you’ll typically be fine.
    apple-txwatto_cobra
Sign In or Register to comment.