Researchers discover 33 vulnerabilities affecting 'millions' of IoT, smart home devices
Cybersecurity researchers have discovered a slew of vulnerabilities included in foundational, open source software used in "millions" of smart home and IoT devices.
Credit: Malcolm Owen, AppleInsider
The 33 vulnerabilities, disclosed by cybersecurity firm Forescout, impact four open source TCP/IP stacks that are used in devices created by more than 150 vendors. Together, the 33 vulnerabilities, which include four critical security flaws, are dubbed "AMNESIA:33."
According to Forescout, the vulnerabilities cause memory corruption, which could allow attackers to compromise devices, execute malicious code, steal sensitive information, and perform denial-of-service attacks.
Most of the affected devices are consumer-facing products like remote temperature sensors and cameras. However, they can range from simple smart plugs and office routers, to industrial control system components and healthcare appliances.
The seriousness of the flaws, as well as their widespread nature, lead the Cybersecurity and Infrastructure Security Agency to issue a bulletin advising users and manufacturers of the threat. It recommended defensive measures such as removing critical infrastructure from the internet.
Despite the potential for exploitation, CISA noted that there does not appear to be any active public exploits specifically targeting these vulnerabilities in the wild.
However, one of the worrying aspects of the vulnerabilities is the fact that they exist in open source software, Forescout said. That could mean addressing them much more difficult, since open source software is often maintained by volunteers and some of the vulnerable code is two decades old.
It'll be up to device manufacturers to identify and patch the vulnerabilities. Though, because some of the compromised code exists in a third-party component, the component's use must have been documented for device makers to know that it's there.
Forescout alerted U.S., German, and Japanese cybersecurity authorities in addition to as many of the device vendors that it could.
A full list of the affected devices has yet to be released. The list is said to include Siemens, Genetec, Devolo, NT-Ware, Microchip, and Nanotec.
It's recommended that users with smart home devices check the manufacturer's website for the latest patch and security information. Beyond that, it'll mostly be up to manufacturers to mitigate and resolve the issue.
Apple's HomeKit protocol itself isn't affected by the security flaws. However, many devices utilize more than one networking protocol or have multiple home automation system compatibilities, and as such, may be vulnerable to attack should one manifest.
Credit: Malcolm Owen, AppleInsider
The 33 vulnerabilities, disclosed by cybersecurity firm Forescout, impact four open source TCP/IP stacks that are used in devices created by more than 150 vendors. Together, the 33 vulnerabilities, which include four critical security flaws, are dubbed "AMNESIA:33."
According to Forescout, the vulnerabilities cause memory corruption, which could allow attackers to compromise devices, execute malicious code, steal sensitive information, and perform denial-of-service attacks.
Most of the affected devices are consumer-facing products like remote temperature sensors and cameras. However, they can range from simple smart plugs and office routers, to industrial control system components and healthcare appliances.
The seriousness of the flaws, as well as their widespread nature, lead the Cybersecurity and Infrastructure Security Agency to issue a bulletin advising users and manufacturers of the threat. It recommended defensive measures such as removing critical infrastructure from the internet.
Despite the potential for exploitation, CISA noted that there does not appear to be any active public exploits specifically targeting these vulnerabilities in the wild.
However, one of the worrying aspects of the vulnerabilities is the fact that they exist in open source software, Forescout said. That could mean addressing them much more difficult, since open source software is often maintained by volunteers and some of the vulnerable code is two decades old.
It'll be up to device manufacturers to identify and patch the vulnerabilities. Though, because some of the compromised code exists in a third-party component, the component's use must have been documented for device makers to know that it's there.
Forescout alerted U.S., German, and Japanese cybersecurity authorities in addition to as many of the device vendors that it could.
A full list of the affected devices has yet to be released. The list is said to include Siemens, Genetec, Devolo, NT-Ware, Microchip, and Nanotec.
It's recommended that users with smart home devices check the manufacturer's website for the latest patch and security information. Beyond that, it'll mostly be up to manufacturers to mitigate and resolve the issue.
Apple's HomeKit protocol itself isn't affected by the security flaws. However, many devices utilize more than one networking protocol or have multiple home automation system compatibilities, and as such, may be vulnerable to attack should one manifest.
Comments
However, not sure most of my IoT devices can tell anyone about me, most do not require any sort of login credential the ones that do, i use a throw away email account and a randomly made up password. All my computer on my home network are macs and we know how hard it is to hack them unless you have direct access to the computer.
Yes in theory they can do all kinds of things under perfect circumstance, but in reality does anyone know if they will take over your home and make you do things you not want to do. Seriously if my lights start blinking when they should not, the device is getting tossed or reset.
To me there’s two kinds of IOT things though:
Smart speakers, room cameras, and other surveillance devices. I don’t own any, and won’t.
Then there’s things like smart light bulbs, thermostats, light fixtures, and such. I keep asking myself WHY they need to be connected to the internet? Seriously, though the potential for mischief is low, why? I can turn on our ceiling fan with a local remote. My thermostat is programmed, but it’s all internal, no outside data connection. The lights over my driveway come on when I get home. No internet, they are classic motion sensor lights that have been available for decades. I honestly don’t see the POINT of connecting most of these things to the web. I’m not going to be turning my living room lights on when I’m at work.
And don’t get me started on how absurd things like internet connected refrigerators etc., are IMO. For reference to see who is at my front door I don’t have a doorbell with a camera, I have a window.
The devices you mention need to be connected to the internet for those who want to control them from outside the home. These devices add convenience and accessibility for some people. Not everyone has the same use cases as you do. If I want to see the cameras around my house, I need internet. If I want to unlock the door to let in the nurse taking care of an elderly relative, it needs an internet connection. Just because you have no need for it, doesn't mean nobody does.
I'm not saying you should close your eyes and ears and pretend that it will go away. I'm just saying that this particular topic is a huge and ongoing threat and that these discovery bulletins are being released all of the time, going back at least 16 years. You have to decide where to draw the line between awareness and fear. I know plenty of folks who have made this their life's mission and my hope is that their intense focus on this topic as a full time concern means that I can bias my actions around awareness and avoidance in areas that make sense for me at a personal level. All I can do is just keep asking the question, "What does this mean to me and what can I do about it?" So far the only consistently actionable answer, as stated in the article, is to keep all of your devices up to date with the latest firmware and software and be aware of the different types of human engineering scams and how they exploit particular human weaknesses.
However, if you're tired of getting a reasonably good night's sleep and are hankering for a new source of stress in your life you can bookmark https://us-cert.cisa.gov in your browser and stay up to date on what's currently happening in a larger chunk of the cyber universe in which we live in, even if there isn't a whole lot you can do about it.
You can try and find relatively secure devices, but nothing is impregnable probably, there are devices that in general you may want to avoid.. But in all the years I've had smart devices, I can say that nothing has ever happened to where I think there was some sort of external intrusion. My Thermostats have not frozen or overheated my home. My lights have not gone off or on by themselves. My TV's have not gone off the deep end.
There is a variety of convenience in deploying these devices, done right, there is probably more of chance that something will go wrong with an appliance than your home being taken over by a hacker..
I installed a z-wave water sensor in our basement for the sump pump so I can tell if the pump has broken before our basement floods. 'Smart' lights also let us put a light switch in where there wasn't one pre-wired. There are other uses as well, but just because you don't see a use doesn't mean there isn't one.
Vulnerabilities are found every day. If the device manufacturer doesn’t have a monthly update cycle, there are probably dozens of security vulnerabilities associated with these devices every year.
Also, there have been flaws found in home kit and home kit devices: https://www.theguardian.com/technology/2017/dec/08/apple-fixes-homekit-bug-remote-unlocking-doors-security-flaw-iphone-ipad-ios-112-smart-lock-home. Here is the the update log to a philips hue hub (home kit compatible) and you will see security updates: https://www.philips-hue.com/en-us/support/release-notes/bridge.
Most devices/computers that use uniform of TLS/SSL use Openssl. Openssl has had some major security flaws the last few years (heartbleed was a huge one). There were also major security flaws found in the protocols themselves: SSL 3.0 (poodle) and TLS 1.0 are considered too flawed for use now. Openssl security vulnerabilities: https://www.cvedetails.com/vulnerability-list/vendor_id-217/Openssl.html
The point of this is every computing device has security flaws and a lot of these IoT devices use common open source software (apache/openssl) that aren't patched in regular intervals. The goal of a hacker wouldn't be to take over your thermostat and control your temperature, the goal would be for the hacker to use your thermostat to take over your network.