Mike Peterson
Cybersecurity researchers have discovered a slew of vulnerabilities included in foundational, open source software used in "millions" of smart home and IoT devices.
The 33 vulnerabilities, disclosed by cybersecurity firm Forescout, impact four open source TCP/IP stacks that are used in devices created by more than 150 vendors. Together, the 33 vulnerabilities, which include four critical security flaws, are dubbed "AMNESIA:33."
According to Forescout, the vulnerabilities cause memory corruption, which could allow attackers to compromise devices, execute malicious code, steal sensitive information, and perform denial-of-service attacks.
Most of the affected devices are consumer-facing products like remote temperature sensors and cameras. However, they can range from simple smart plugs and office routers, to industrial control system components and healthcare appliances.
The seriousness of the flaws, as well as their widespread nature, lead the Cybersecurity and Infrastructure Security Agency to issue a bulletin advising users and manufacturers of the threat. It recommended defensive measures such as removing critical infrastructure from the internet.
Despite the potential for exploitation, CISA noted that there does not appear to be any active public exploits specifically targeting these vulnerabilities in the wild.
However, one of the worrying aspects of the vulnerabilities is the fact that they exist in open source software, Forescout said. That could mean addressing them much more difficult, since open source software is often maintained by volunteers and some of the vulnerable code is two decades old.
It'll be up to device manufacturers to identify and patch the vulnerabilities. Though, because some of the compromised code exists in a third-party component, the component's use must have been documented for device makers to know that it's there.
Forescout alerted U.S., German, and Japanese cybersecurity authorities in addition to as many of the device vendors that it could.
A full list of the affected devices has yet to be released. The list is said to include Siemens, Genetec, Devolo, NT-Ware, Microchip, and Nanotec.
It's recommended that users with smart home devices check the manufacturer's website for the latest patch and security information. Beyond that, it'll mostly be up to manufacturers to mitigate and resolve the issue.
Apple's HomeKit protocol itself isn't affected by the security flaws. However, many devices utilize more than one networking protocol or have multiple home automation system compatibilities, and as such, may be vulnerable to attack should one manifest.
-m.jpg)
Charles Martin
Malcolm Owen
William Gallagher
Christine McKee
Wesley Hilliard
Andrew Orr
18 Comments
Some are more insecure than others. But they have hardly any penetration into homes (total population in the US that has smart devices is what?) Insurance companies won't really care if you have a doorbell cam for a very long time. And most people's garbage is a bigger security risk unless you have gone full nuts and shred everything and remove your finger prints from soda cans. And what about ANY Amazon device? Smart speakers, and 'internet ready' TV's are the worst culprits for poor network security measures.
Okay I get using IoT devices to initiate a DOS attach, beyond this not sure how dangerous they can be, unless they going to unplug themselves and attack me.
However, not sure most of my IoT devices can tell anyone about me, most do not require any sort of login credential the ones that do, i use a throw away email account and a randomly made up password. All my computer on my home network are macs and we know how hard it is to hack them unless you have direct access to the computer.
Yes in theory they can do all kinds of things under perfect circumstance, but in reality does anyone know if they will take over your home and make you do things you not want to do. Seriously if my lights start blinking when they should not, the device is getting tossed or reset.