DNS Flaws Expose Millions of IoT Devices to Hacker Threats

A set of flaws in a widely used network communication protocol that could affect millions of devices was revealed Monday by security researchers.

The nine vulnerabilities discovered by Forescout Research Labs and JSOF Research dramatically increase the attack surface of at least 100 million Internet of Things devices, exposing them to potential attacks that could take the devices offline or to be hijacked by threat actors.

The vulnerability set called Name:Wreck affects four popular TCP/IP stacks — FreeBSD, Nucleus NET, IPnet and NetX.

The researchers explained that Nucleus NET is part of Nucleus RTOS, a real-time operating system used by more than three billion devices, including ultrasound machines, storage systems, critical systems for avionics and others.

FreeBSD is widely used by high-performance servers in millions of IT networks and is also the basis for other well-known open-source projects, such as firewalls and several commercial network appliances.

They added that NetX is usually run by the ThreadX RTOS, which had 6.2 billion deployments in 2017 and can be found in medical devices, systems-on-a-chip and several printer models.

Security experts told TechNewsWorld that TCP/IP attacks can be particularly powerful as TCP/IP is the software that actually does all the communication from the device to other systems. Corrupting the TCP/IP software to allow for vulnerabilities or exploiting errors in the design is the foundation of most attacks.

Attacks on the TCP/IP stack can also circumvent some elementary security protections.

TCP/IP vulnerabilities are powerful because they can be exploited remotely over the Internet or on an intranet without having to subvert other security mechanisms like authentication.

In most cases, the code of TCP/IP stacks runs with high privileges, so any code execution vulnerability would allow an attacker to get significant privileges on the device.

Although some of the vulnerabilities aired by the researchers can be fixed, the process can be problematic.

For the end devices that use those stacks, patching is theoretically possible. But, in practice, many of the vulnerable systems are IoT devices running real-time operating systems that are not on a normal patch schedule and are unlikely to receive a patch.

IoT devices are usually handled with a ‘deploy and forget’ approach and are often only replaced after they fail or reach the end of their serviceability.

Age can be another problem for IoT devices. These systems can be patched, but they are generally very old implementations that may be used for scenarios they weren’t envisioned for. They are vulnerable based on their sheer complexity and inability to easily identify risks.

It has always been very hard to patch IoT vulnerabilities.

Even without patches, there are ways to protect a network from exploiters of the vulnerabilities found by the Forescout and JSOF researchers.

To exploit the Name:Wreck vulnerabilities, an attacker has to reply to a DNS request from the target device with a spoofed packet that has the malicious payload. To accomplish this, an attacker will need network access to the target device. So keeping devices, especially IoT devices, segmented from the Internet and core internal networks is one mechanism to mitigate the risk of exposure.

Monitoring DNS activity in the environment and flagging any external DNS server activity is a good step as well.

If the system itself can’t be patched, and this may be the case for aging industrial control systems or other OT network devices and IoT endpoints, it’s important to ensure that the network only allows secure, trusted traffic to these devices.

This is where Zero Trust designs can help, ensuring that only authorized devices can access these vulnerable systems.

IoT as a whole is a hotspot for security. Weak passwords and hard coded user accounts, lack of patching and outdated components, these latest vulnerabilities are just more for the stack of insecurity that is IoT.