Microsoft researchers have discovered multiple memory allocation and remote code execution vulnerabilities in the operating systems for a wide range of commercial, medical and operational technology Internet of Things devices.
According to the IoT security team at the Microsoft Security Response Center, the flaws affect at least 25 different products made by more than a dozen organizations, including Amazon, ARM, Google Cloud, Samsung, RedHat, Apache and others. As of now, exploits leveraging the vulnerabilities haven’t been spotted in the wild, but they offer potential attackers a broad surface area to do damage.
“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds,” Microsoft wrote.
According to an overview compiled by the Cybersecurity and Infrastructure Security Agency, 17 of the affected product already have patches available, while the rest either have updates planned or are no longer supported by the vendor and won’t be patched. See here for a list of impacted products and patch availability.
Where patching isn’t available, Microsoft advises organizations to implement network segmentation, eliminate unnecessary to operational technology control systems, use (properly configured and patched) VPNs with multifactor authentication and leverage existing automated network detection tools to monitor for signs of malicious activity.
While the scope of the vulnerabilities across such a broad range of different products is noteworthy, such security holes are common with connected devices, particularly in the commercial realm. Despite billions of IoT devices flooding offices and homes over the past decade, there remains virtually no universally agreed-upon set of security standards – voluntary or otherwise – to bind manufacturers. As a result, the design and production of many IoT products end up being dictated by other pressures, such as cost and schedule.
“The issue is that smaller, faster, cheaper is not very compatible with secure,” said Keith Gremban, program manager within the Office of the Under Secretary of Defense for Research and Engineering and the Department of Defense, in an interview with SC Media earlier this month. “Picture a start-up trying to get a product out the door. They’ve got a [venture capital firm] looking over their shoulder, anxious for return on investment, they’ve got the competition breathing down their necks. Are they going to delay product release by six months to make the product secure? Will the VC let them do that?”
Such devices are also notoriously difficult to track, and many organizations tend to have at least a few rogue connected devices from employees or past projects lurking on their network that go unnoticed and unpatched. Jeremy Brown, vice president of threat analysis at Trinity Cyber, said there’s “a lot of power in the future” for companies or solutions that can detect and locate such devices to turn them off or get them patched properly.
“Success stories will [involve] reducing the spread of botnets via the careful control of network traffic; and if you can solve for an authentication problem where you know an IoT device is speaking to a trusted place on the internet, the challenge at that point is how are you verifying what’s going on between the device and the trusted place,” said Brown. For the most part if you have the ability to stop or change that, you’ll make a really meaningful impact on these widescale [botnet and ransomware] attacks…where we see someone’s toaster in Missouri become a ransomware vehicle.”
Operational technology devices, hardware and machinery that connect to the internet and support medical facilities, enterprise businesses or critical infrastructure, differ substantially in their challenges from their commercial brethren. There are often technical obstacles to patching or updating, and any downtime has the potential to carry more direct or serious consequences for the delivery of medical care, power, water and other essential services.