Posted on December 8, 2020 at 4:04 PM
Researchers Say Millions of IoT Devices Are At Risk of Attack
The vulnerability of the Internet of Things (IoT) devices has been a thing of concern in recent times. That’s because most of these devices do not follow strong security protocols when manufactured.
Security researchers at security firm Forescout have become the latest group of experts to highlight these flaws. According to the researchers, the smart device flaws can be exploited by hackers looking to infiltrate home or business computers.
There have been repeated warnings about the high risk of using cheap and generic IoT devices. They are potentially able to harbor vulnerabilities and expose millions of users to hacking attacks.
The Forescout security researchers have pointed out three flaws in open source internet protocol, which can expose millions of IoT devices, leading to cyberattacks.
The affected devices with potential vulnerability include building automation systems, enterprise network equipment, barcode readers, smart home lights and sensors, as well as industrial control equipment.
According to the researchers, these types of devices can harbor vulnerabilities that are almost impossible to correct.
As a result, they can open the door for attackers to exploit and gain access to a wide array of networks, the researchers revealed.
The Forescout researchers will provide details of their research at the Black Hat Europe security conference tomorrow. The researchers plan to provide details of the vulnerabilities in 7 open sources “TCP/IP stacks.”
According to the researchers, who called the vulnerabilities Amnesia 33 since there are 33 different vulnerabilities, there are millions of such likely affected devices from over 150 vendors.
“These situations are just such a ridiculous mess,” they explained in a report.
Some Of The Flaws Are Two Decades Old
It is very complicated to fix the vulnerabilities without damaging the device’s functionality. Also, the fact that no one has a sole right over open-source software makes it even more difficult to fix.
Vice President of research at Forescout Elisa Constante revealed that volunteers usually main such codes. She further pointed out that some of the flawed TCP/IP codes are more than 20 years old, and some of them are no longer supported by their developers.
Due to their obsoleteness, the device manufacturers have to bear the responsibility of providing a patch for the device.
However, many of them do not want to take that step because of the time-consuming nature and high-expense in the act.
If the vulnerabilities are not patched, they could give hackers access to open DDoS attacks. Threat actors can even deliver malware or ransomware that can hijack devices and list them zombie nets, according to the researchers.
Home networks could even be more compromised as a lot of employees are working from home as a means of curbing the spread of the coronavirus.
And when the home networks are compromised, they can be used as links to infiltrate corporate networks through remote-access connection.
After concluding the research on the devices, the Forescout researchers contacted many of the vendors and told them about the flaws. However, the researchers could not identify all the affected devices as it was practically impossible to do so. The researchers also alerted Japanese, German, and US computer security authorities.
Minimizing the Risk Of Getting A Vulnerable Device
Costante also said the main issue is to understand the extent of vulnerability on the devices and the number of devices that have been affected. But she noted that the numbers of affected devices could reach millions, considering the number of vendors impacted.
In some cases, the security researchers discovered that the flaw in a wide range of devices can be traced to one SoC manufacturer that no longer manufactures the device. This means that no one is available to provide a patch for such devices, and all users of the devices will have to live with the vulnerable device or discontinue its use.
Security researchers have always warned users about the security risk of buying cheap and poorly made smart devices. These types of devices are more vulnerable, especially those old models.
They advised that users should stick with trusted manufacturers and never to buy devices that are not recently manufactured.