Skip to main content

Millions of IoT devices could be vulnerable to these unfixable security bugs

IoT devices
(Image credit: Shutterstock)
Audio player loading…

IoT (opens in new tab) devices may in fact end up being the asbestos of the future (opens in new tab) after all as new research from Forescout has revealed that there are 33 new memory-corrupting vulnerabilities which affect millions of connected devices around the world.

These flaws impact four open source TCP/IP stacks (uIP, PicoTCP, FNET, and Nut/Net) which serve as the foundational components of millions of connected devices including smart home sensors and lights, barcode readers, building automation systems, enterprise network equipment and even industrial control systems. 

Researchers at Forescout (opens in new tab) will present their findings on these new vulnerabilities, which they have dubbed Amnesia:33, at this year's Black Hat Europe security conference. The researchers estimate that millions of devices from over 150 vendors likely contain the vulnerabilities that could expose embedded devices to denial of service attacks, remote code execution, information leak, DNS cache poisioning and even total takeover.

To make matters worse, patching all of the affected devices will be near impossible as they're all built on open source stacks that have been modified and republished multiple times over the years.

Amnesia:33

Using open source software (opens in new tab) components can certainly have its benefits but in this case, it will be extremely difficult for IoT device manufacturers to patch their products and distribute these updates to users.

VP of research at Forescout Elisa Costante provided further insight on the potential impact of Amnesia:33 to Wired (opens in new tab), saying:

"What scares me the most is that it’s very difficult to understand how big the impact is and how many more vulnerable devices are out there. These vulnerable stacks are open source, so everybody can take them and use them and you can document it or not. The 150 we have so far are the ones we could find that were documented. But I'm sure there are tons and tons of other vulnerable devices that we just don't know about yet."

By exploiting any of the Amnesia:33 vulnerabilities, an attacker could take full control of a connected device and use it as an entry point on a network, a pivot point for lateral movement, a persistence point on the target network or as the final target of an attack.

Enterprise organizations are at risk from Amnesia:33 as they could have their corporate networks compromised while consumers could see their IoT devices used as part of a botnet (opens in new tab) without their knowledge due to an attacker exploiting these vulnerabilities. At this time though, it's still difficult to gauge the full impact of Amnesia:33 because the vulnerable stacks are so wide spread, highly modular and are often incorporated in embedded components such as systems-on-a-chip (SoCs (opens in new tab)) used by device manufacturers.

We'll likely find out more about the full impact of Amnesia:33 once Forescout presents its findings at Black Hat Europe and others in the cybersecurity community begin their own investigations into the matter.

Via Wired (opens in new tab)

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.