Millions of IoT Devices Open to Hacker Hijacking

New research shows that security flaws affecting upwards of 100 million smart devices and industrial machines could allow a hacker to hijack the products or knock them offline.

Nine different vulnerabilities were recently discovered by researchers with security firm Forescout, who have dubbed them “NAME:WRECK,” for the way in which they affect the Domain Name System (DNS) protocol. The vulns are in four different TCP/IP stacks, including Nucleus NET, FreeBSD, NetX, and IPnet, all of which are used widely by IoT and industrial devices.

(For reference, TCP/IP stacks—which stands for “Transmission Control Protocol/ Internet Protocol”—are systems of rules implemented in software and hardware that ensure consistent and standardized data transmission over networks. So exploiting such stacks could lead to some pretty tricky business, indeed.)

In this case, the vulnerabilities are tied up with the way in which DNS protocols are executed. Hypothetically, attacks could exploit the DNS bugs and lead to remote code execution on vulnerable devices, or denial-of-service attacks, the report claims.

Although not all devices running these protocols are necessarily vulnerable to abuse, the security flaws could still affect an astronomical amount of devices, according to researchers: “If we conservatively assume that 1% of the more than 10 billion deployments discussed above are vulnerable, we can estimate that at least 100 million devices are impacted by NAME:WRECK,” the report claims.

The stacks are used so widely across such a variety of sectors and industries that it would be somewhat difficult to pin down a “master list” of all of the products that might be affected. Healthcare, defense and aerospace, retail, communications and networking, and pretty much every other industry you can think of may be affected. In the case of NetX, for instance, the vulnerabilities, if left unpatched, could potentially affect everything from HTC wearable fitness products to a variety of healthcare patient monitors to, apparently, “the NASA Mars Reconnaissance Orbiter,” the report claims.

So, what to do? In a case like this, patching works in a sort of trickle-down fashion: after a stack developer issues a patch, it then falls to all of the device vendors who use that stack to issue their own. Customers must then integrate the new protections into their individual devices themselves. So while the affected stack developers have by now all issued patches, a subsequent process of adding protections exists both for vendors and consumers.

For industrial sectors, the report suggests that the patching process may be a particularly arduous, time-consuming one—as sorting through the milieu of affected devices and device components, then properly compelling organizations that rely on those machines to issue patches, is not always the easiest of tasks.

“For the typical consumer, it’s really a matter of waiting for the patches and keeping an eye out for what the vendors will say and for the vulnerabilities that exist,” said Daniel dos Santos, head of research with Forescout, in a phone call. “One of the challenges we have is awareness of these issues,” he said. “That is one of the big parts of our mission—to let people know what’s going on.”