Researchers at the cybersecurity firm Forescout published a new whitepaper on Tuesday detailing how 33 security flaws baked into a handful of widely used code libraries could have catastrophic consequences for millions of internet-connected devices, running the gamut from smart home and industrial tech, to devices in hospitals, retailers, and federal buildings.
The issue here, per the team behind the paper, lies with four separate open-source bundles of code: uIP, FNET, picoTCP, and Nut/Net. Adding one of these libraries to a device allows it to hook onto certain communication protocols and communicate with other machines. And because they’re free-to-use and fully open source, these libraries have become pretty popular over the years, which is a boon for developers looking to get these devices out the door quickly and cheaply. It also means when these kinds of vulnerabilities come to light (as they have in the past), the impact is that much more dramatic.
“Amnesia:33"—as the team collectively calls this gaggle of vulnerabilities—hasn’t been exploited out in the wild yet as far as they know. That said, a determined enough attacker with a clear communication path to a vulnerable device could exploit one or more of these issues issues to slam the device with a denial-of-service attack, or force the device to leak potentially sensitive internal data. Four of the more “critical” security flaws open devices up to remote code execution.
To get the full picture of the number of devices using these vulnerable open-source protocols, the Forescout team tapped into data from both its customer base, and from IoT search engines like Shodan and Censys. In total, the team counted devices from over 150 vendors at risk for this particular raft of exploits—though with the caveat that getting the full scope of this issue is pretty difficult, simply because there’s so many devices in so many categories that rely on these particular code libraries to some degree.
You might be wondering why the four stacks involved don’t just issue a round of security patches to put this issue to bed. But as the Forescout team explained in a ThreatPost interview, component manufacturers have spent the past two decades plugging different parts of these four free-to-use libraries into code bundles of their own—which then end up inside devices. Due to a broken link in the supply chain, device manufacturers using off-the-shelf parts may not realize bits of a vulnerable codebase are installed on a WiFi module they’re sourcing.
The result is a problem of nearly inestimable impact.
Forescout does recommend some best practices in their whitepaper, but ultimately, this is going to be an issue that at best gets slowly fixed, piecemeal, by each company currently using these codebases.