Cybersecurity researchers have discovered a slew of vulnerabilities included in foundational, open source software used in "millions" of smart home and IoT devices.
The 33 vulnerabilities, disclosed by cybersecurity firm Forescout, impact four open source TCP/IP stacks that are used in devices created by more than 150 vendors. Together, the 33 vulnerabilities, which include four critical security flaws, are dubbed "AMNESIA:33."
According to Forescout, the vulnerabilities cause memory corruption, which could allow attackers to compromise devices, execute malicious code, steal sensitive information, and perform denial-of-service attacks.
Most of the affected devices are consumer-facing products like remote temperature sensors and cameras. However, they can range from simple smart plugs and office routers, to industrial control system components and healthcare appliances.
The seriousness of the flaws, as well as their widespread nature, lead the Cybersecurity and Infrastructure Security Agency to issue a bulletin advising users and manufacturers of the threat. It recommended defensive measures such as removing critical infrastructure from the internet.
Despite the potential for exploitation, CISA noted that there does not appear to be any active public exploits specifically targeting these vulnerabilities in the wild.
However, one of the worrying aspects of the vulnerabilities is the fact that they exist in open source software, Forescout said. That could mean addressing them much more difficult, since open source software is often maintained by volunteers and some of the vulnerable code is two decades old.
It'll be up to device manufacturers to identify and patch the vulnerabilities. Though, because some of the compromised code exists in a third-party component, the component's use must have been documented for device makers to know that it's there.
Forescout alerted U.S., German, and Japanese cybersecurity authorities in addition to as many of the device vendors that it could.
A full list of the affected devices has yet to be released. The list is said to include Siemens, Genetec, Devolo, NT-Ware, Microchip, and Nanotec.
It's recommended that users with smart home devices check the manufacturer's website for the latest patch and security information. Beyond that, it'll mostly be up to manufacturers to mitigate and resolve the issue.
Apple's HomeKit protocol itself isn't affected by the security flaws. However, many devices utilize more than one networking protocol or have multiple home automation system compatibilities, and as such, may be vulnerable to attack should one manifest.