Thirty-three vulnerabilities in open-source TCP/IP stacks often buried deep in internet-connected devices may cause years of issues for hundreds of manufacturers, and business and home customers alike.
Further complicating matters, manufacturers who are affected may not immediately know their devices are at risk.
The package of vulnerabilities, discovered by researchers at Forescout and dubbed Amnesia-33, are buried deep in the supply chain: third-party software used in components assembled into everything from printers to picosatellites, smart plugs and operational technology equipment.
“Many vendors have been willing to work on mitigating the vulnerabilities,” said Elisa Costante, vice president of research at Forescout. “But some of the vendors we’ve spoken to are still trying to figure out if they are impacted.”
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is expected to make a public announcement about the issue today, and has been working with manufacturers behind the scenes on disclosure.
Forescout was able to identify 158 different manufacturers using the vulnerable stacks through internet scans and estimates the amount of vulnerable devices totals in the millions. The numbers are inexact – not all vulnerable systems are connected to the internet and not all usage will show up on search.
Amnesia-33 was discovered by Forescout’s Project Memoria in an audit of open source TCP/IP. They tested a total of seven stacks, finding vulnerabilities in four: uIP, Nut/Net, FNET and PicoTCP. Those stacks are either installed directly or indirectly through operating systems including Contiki and NutOS onto systems on a chip, boards, microcontrollers and other hardware used in making devices. For example, the MediaTek MT7681 WiFI module is popular, vulnerable and used by several manufacturers in commercial products.
The three stacks that Forescout tested without discovering vulnerabilities are IwIP, CycloneTCP and uC/TCP-IP.
But the vulnerabilities they did find range to the severe. There are vulnerabilities leading to remote code execution, several options for denial of service, and information leakage.
Costante believes that some of the problem stems from vagaries in the technical specifications for TCP/IP, which could be cleared up.
Addressing vulnerabilities in components is a longstanding problem in the IoT space, said Brad Ree, chief technology officer of the internet of things industry standards group, the ioXt Alliance.
"The issue is manufacturers with limited or no transparency into their supply chains. This, and similar problems, will impact companies potentially for years. Beyond that, some device manufacturers – especially those in connected products -– may go out of business or move onto other products, leaving consumers with no clue of what to do," he wrote in an email.
"It is critical that device manufacturers maintain a software bill of materials for their products and require the same of their vendors, so problems like this don’t exist in the future," he added, referring to a best practice for vendors to provide a list of all the third-party products in a device to help vendors and users determine exposure.
By running the disclosure through CISA’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, Forescout does not have full visibility into how vendors are approaching mitigation. Costante did say that they have heard from around 10 vendors who contacted Forescout for assistance. And she doesn’t expect those requests to stop.
“It’s not over,” she said. “I told my team, ‘don’t start any new projects.’
