Researchers Find an Irreparable Security Flaw Affecting Millions of Smart Home Devices

MakeUseOf

By Ian Buckley

Published Dec 9, 2020

Everything from smart home devices to industrial tech could be affected.

A new whitepaper from researchers at enterprise security firm Forescout has unearthed a vulnerability potentially affecting millions of connected devices.

The issue stems from zero-day vulnerabilities in four widely used open-source TCP/IP code libraries.

Amnesia:33 Might Be Hard to Forget

The team behind the whitepaper have dubbed this vulnerability Amnesia:33, and outline each issue in detail in a whitepaper available from Forescout[PDF].

Forescout estimates that the security flaw affects more than 150 vendors of connected devices worldwide. Potentially millions of devices are vulnerable, from smart home devices to Internet of Things (IoT) devices used in industrial settings.

The vulnerability has a few potential ways it can affect a variety of devices, as the whitepaper outlines:

Remote code execution (RCE) to take control of a target device
Denial of service (DoS) to impair functionality and impact business operations
Information leak (Infoleak) to acquire potentially sensitive information
DNS cache poisoning to point a device to a malicious website

Any one of these attack patterns could wreak havoc on a system, and patching the hole is not going to be an easy task.

Wide Reaching Risks and Consequences

This is far from the first time connected systems have shown flaws, with some even questioning if devices like Ring could make your house less secure than traditional offline security devices. While there are so far no documented attacks as a result of this vulnerability, the Forescout team has outlined some credible attack scenarios.

The network stack used is present in a huge number of connected devices, including smart plugs and temperature monitors, which could affect home users, but would have much more dire consequences in public spaces.

In a healthcare setting, for example, an attacker could gain access to the network and cause havoc, potentially affecting the temperature system, connected locks, or trigger false fire alarms. In a retail setting, connected temperature sensors are a frequent point of weakness, and once on the network, a hacker could take the entire shop offline – something that would render many stores unable to complete transactions or monitor stock.

Of course, these are worst-case scenarios, but as with all security whitepapers: If Forescout thought of it, then someone with malicious intent probably has too.

Why Can't This be Fixed?

The code libraries at the center of Amnesia:33 are the foundational building blocks of many networked devices. They are all open-source, meaning they are freely available to be used or modified by developers.

Even if these code libraries are all updated, the nature of using freely available code results in remixed libraries, unique implementations, and large areas of codebases with potentially malicious code.

At this stage, the only way this gets fixed is if companies take individual responsibility and assess their software implementations, right down to the bare metal.

Even if most vendors take it seriously, I doubt this is the last we'll hear of Amnesia:33.