How an Old Security Issue Left Millions of IoT Devices Vulnerable

The Internet of Things (IoT) is extremely vast and encompasses millions of devices. By 2025, the number of IoT devices is projected to grow to 25.1 billion, according to the GSM Association. The rapid growth and expansion of IoT have cybersecurity experts worried about built-in security vulnerabilities and devices that stop getting updated at some point.

Security researchers are warning that history could be repeated if IoT developers don’t take care of a known Windows security issue that’s decades old. The vulnerability can be leveraged to manipulate millions of IoT and operational technology (OT) devices and even create a large-scale DDoS (distributed denial of service) attack across devices at multiple companies.

9 Issues To Be Aware Of

Security researchers at Forescout Research Lab have found and dug into security vulnerabilities in some TCP/IP stacks (internet protocols). They’ve named the nine new issues “Number:Jack”. The research lab has already been researching vulnerabilities in TCP/IP stacks and strategizing how to mitigate them as part of an initiative called Project MemoriaThe latest security issues stem from a foundational part of TCP communication within embedded devices, specifically the generation of the Initial Sequence Number (ISN). ISNs work to ensure every TCP connection between two computers or connected devices is unique so that third parties can’t intercept or manipulate the machine-to-machine connection. To ensure the connection is unique, ISNs are randomly generated so that the ISN isn’t predictable or known in order to take advantage of it for hacking, hijacking, or spoofing.

These are network security fundamentals that have been known and studied for decades, but the researchers found that this simple concept wasn’t executed correctly in IoT devices. The ISN is not generated randomly, and it can create patterns that create vulnerabilities for the unique machine-to-machine connection. Daniel dos Santos, a research manager at Forescout, says that Windows, Linux, and IT departments have mostly fixed these vulnerabilities, but IoT is lagging way behind.

Immense Potential for Malicious Intent

By making the TCP connections more predictable, hackers could close the connection ahead of time, creating a denial-of-service attack by preventing data transfer between the two devices. They could also just hijack the connection and add their own data into the transfer, while actively downloading sensitive information, adding file downloads as malware, or using HTTP responses to send the victim machine to a website with malware.

According to dos Santos, “It’s not difficult for us or an attacker to find this type of vulnerability because you can clearly see the way the numbers are generated by the stack is predictable.” Using these predictable connection ISNs, attackers could take things a step further and bypass authentication protocols to gain access to additional networks. For their part, Forescout disclosed the known vulnerabilities to relevant maintainers and vendors of TCP/IP stacks in October 2020.

The Attack Spread

The affected TCP/IP stacks were also found in several open-source stacks that were analyzed by Forescout. These included uIP, Nut/Net, picoTCP, FNET, cycloneTCP, and uC/TCP-IP. Additionally, the vulnerabilities were found in enterprise-level solutions like Dallas-based Texas Instruments’ NDKTCPIP, Siemens’ Nucleus NET, and Microchip’s MPLAB Net.

While the majority of vendors subsequently patched their devices with security software (or are in the middle of patching), one vendor hasn’t responded to Forescout’s report. Forescout didn’t release the name of the company. However, Forescout did say that devices at risk of cybersecurity attacks include medical devices, storage systems, and wind turbine monitoring systems are chief among the devices vulnerable to the TCP/IP stack issue. Dos Santos says that Forescout looked across multiple TCP stacks because it shows that IoT security is repeating IT history again across several stacks. Most importantly, Forescout wants people to critically look at what happened before and how such an attack could affect their IoT system and devices. Everyone should do this, “all down the IoT supply chain,” according to dos Santos.

Forescout did not publicly release information on the exact devices for each of the vulnerable nine stacks so that their manufacturer and end-user can remain protected until security patches are issued. In the meantime, Forescout released open-source software to help companies with IoT devices identify any stacks that may be vulnerable according to the research done as part of Project Memoria.

The company recommends issuing security patches if a vulnerability is detected so that attackers are prevented from gaining access into the device and/or network. If a vulnerability is found and it’s not possible to patch the IoT or OT device, Forescout recommended moving the vulnerable devices onto a segment of the network that reduces the risk of an attack or compromise.

Securing All IoT Systems Is a Must

IoT is reaching new heights as an emerging technology, but it would fare better if it took security lessons from a variety of fields, like IT, operating systems, and networking. To fail a test of fundamental network security likely means there are many more basic security issues brewing inside IoT and OT devices.

dos Santos added, “The foundations of IoT are vulnerable and not just for one vendor or specific device – it’s across several types of devices and the software components used in these devices. It’s often that they share similar types of vulnerabilities.” We cannot allow more large-scale DDoS attacks to occur, especially when they could’ve been avoided in the first place.