Researchers discover 33 vulnerabilities affecting 'millions' of IoT, smart home devices

Credit: Malcolm Owen, AppleInsider

Cybersecurity researchers have discovered a slew of vulnerabilities included in foundational, open source software used in "millions" of smart home and IoT devices.

The 33 vulnerabilities, disclosed by cybersecurity firm Forescout, impact four open source TCP/IP stacks that are used in devices created by more than 150 vendors. Together, the 33 vulnerabilities, which include four critical security flaws, are dubbed "AMNESIA:33."

According to Forescout, the vulnerabilities cause memory corruption, which could allow attackers to compromise devices, execute malicious code, steal sensitive information, and perform denial-of-service attacks.

Most of the affected devices are consumer-facing products like remote temperature sensors and cameras. However, they can range from simple smart plugs and office routers, to industrial control system components and healthcare appliances.

The seriousness of the flaws, as well as their widespread nature, lead the Cybersecurity and Infrastructure Security Agency to issue a bulletin advising users and manufacturers of the threat. It recommended defensive measures such as removing critical infrastructure from the internet.

Despite the potential for exploitation, CISA noted that there does not appear to be any active public exploits specifically targeting these vulnerabilities in the wild.

However, one of the worrying aspects of the vulnerabilities is the fact that they exist in open source software, Forescout said. That could mean addressing them much more difficult, since open source software is often maintained by volunteers and some of the vulnerable code is two decades old.

It'll be up to device manufacturers to identify and patch the vulnerabilities. Though, because some of the compromised code exists in a third-party component, the component's use must have been documented for device makers to know that it's there.

Forescout alerted U.S., German, and Japanese cybersecurity authorities in addition to as many of the device vendors that it could.

A full list of the affected devices has yet to be released. The list is said to include Siemens, Genetec, Devolo, NT-Ware, Microchip, and Nanotec.

It's recommended that users with smart home devices check the manufacturer's website for the latest patch and security information. Beyond that, it'll mostly be up to manufacturers to mitigate and resolve the issue.

Apple's HomeKit protocol itself isn't affected by the security flaws. However, many devices utilize more than one networking protocol or have multiple home automation system compatibilities, and as such, may be vulnerable to attack should one manifest.

Follow AppleInsider on Google News

18 Comments

rotateleftbyte

said about 3 years ago

Is anyone with even half a clue about IT surprised by this sort of thing?

I decided a long time ago that I'd not be having any IoT [redacted] kit in my home. To me, they are a disaster waiting to happen.

I'm sure that it won't be very long before your home insurance company starts demanding to know if you have things like Smart Doorbells with camera's etc installed. Watch out for insurance rates to rise accordingly.

mark fearing

said about 3 years ago

Some are more insecure than others. But they have hardly any penetration into homes (total population in the US that has smart devices is what?) Insurance companies won't really care if you have a doorbell cam for a very long time. And most people's garbage is a bigger security risk unless you have gone full nuts and shred everything and remove your finger prints from soda cans. And what about ANY Amazon device? Smart speakers, and 'internet ready' TV's are the worst culprits for poor network security measures.

maestro64

said about 3 years ago

Okay I get using IoT devices to initiate a DOS attach, beyond this not sure how dangerous they can be, unless they going to unplug themselves and attack me.

However, not sure most of my IoT devices can tell anyone about me, most do not require any sort of login credential the ones that do, i use a throw away email account and a randomly made up password. All my computer on my home network are macs and we know how hard it is to hack them unless you have direct access to the computer.

Yes in theory they can do all kinds of things under perfect circumstance, but in reality does anyone know if they will take over your home and make you do things you not want to do. Seriously if my lights start blinking when they should not, the device is getting tossed or reset.

DAalseth

said about 3 years ago

rotateleftbyte said:

Is anyone with even half a clue about IT surprised by this sort of thing?
I decided a long time ago that I'd not be having any IoT [redacted] kit in my home. To me, they are a disaster waiting to happen.
I'm sure that it won't be very long before your home insurance company starts demanding to know if you have things like Smart Doorbells with camera's etc installed. Watch out for insurance rates to rise accordingly.

I agree completely. The security of these is always been suspect.
To me there’s two kinds of IOT things though:
Smart speakers, room cameras, and other surveillance devices. I don’t own any, and won’t.
Then there’s things like smart light bulbs, thermostats, light fixtures, and such. I keep asking myself WHY they need to be connected to the internet? Seriously, though the potential for mischief is low, why? I can turn on our ceiling fan with a local remote. My thermostat is programmed, but it’s all internal, no outside data connection. The lights over my driveway come on when I get home. No internet, they are classic motion sensor lights that have been available for decades. I honestly don’t see the POINT of connecting most of these things to the web. I’m not going to be turning my living room lights on when I’m at work.

And don’t get me started on how absurd things like internet connected refrigerators etc., are IMO. For reference to see who is at my front door I don’t have a doorbell with a camera, I have a window.

mike1

said about 3 years ago

DAalseth said:

rotateleftbyte said:

Is anyone with even half a clue about IT surprised by this sort of thing?
I decided a long time ago that I'd not be having any IoT [redacted] kit in my home. To me, they are a disaster waiting to happen.
I'm sure that it won't be very long before your home insurance company starts demanding to know if you have things like Smart Doorbells with camera's etc installed. Watch out for insurance rates to rise accordingly.

I agree completely. The security of these is always been suspect.
To me there’s two kinds of IOT things though:
Smart speakers, room cameras, and other surveillance devices. I don’t own any, and won’t.
Then there’s things like smart light bulbs, thermostats, light fixtures, and such. I keep asking myself WHY they need to be connected to the internet? Seriously, though the potential for mischief is low, why? I can turn on our ceiling fan with a local remote. My thermostat is programmed, but it’s all internal, no outside data connection. The lights over my driveway come on when I get home. No internet, they are classic motion sensor lights that have been available for decades. I honestly don’t see the POINT of connecting most of these things to the web. I’m not going to be turning my living room lights on when I’m at work.

And don’t get me started on how absurd things like internet connected refrigerators etc., are IMO. For reference to see who is at my front door I don’t have a doorbell with a camera, I have a window.

The devices you mention need to be connected to the internet for those who want to control them from outside the home. These devices add convenience and accessibility for some people. Not everyone has the same use cases as you do. If I want to see the cameras around my house, I need internet. If I want to unlock the door to let in the nurse taking care of an elderly relative, it needs an internet connection. Just because you have no need for it, doesn't mean nobody does.