Old Security Vulnerability Left Millions Of Internet Of Things Devices Vulnerable To Attacks

It has been reported that vulnerabilities in the communications protocols used by millions of Internet of Things (IoT) and operational technology (OT) devices could allow cyber attackers to intercept and manipulate data. The vulnerabilities in some TCP/IP stacks have been detailed by cybersecurity researchers at Forescout, who’ve dubbed the set of nine new vulnerabilities as ‘Number:Jack’.

Experts Comments

February 11, 2021
Stephen Kapp
CTO and Founder
Cortex Insight

As many IoT devices are essentially blackboxes of components used to do a specific single job, they use specialist embedded System-on-Chips (SoC) which have small amounts of storage. Therefore, it is understandable that so many have implemented barebones TCP/IP stacks that have re-introduced old security vulnerabilities, as these are devices that often have to work with limited resources and sometimes in real-time with limited CPU processing power.

 

So choices were made, however, the

.....Read More

As many IoT devices are essentially blackboxes of components used to do a specific single job, they use specialist embedded System-on-Chips (SoC) which have small amounts of storage. Therefore, it is understandable that so many have implemented barebones TCP/IP stacks that have re-introduced old security vulnerabilities, as these are devices that often have to work with limited resources and sometimes in real-time with limited CPU processing power.

 

So choices were made, however, the risk/threat assessment was geared towards a different set of goals. As a result, it is good practice to treat IoT devices as insecure and vulnerable to attack by default and to build controls around them to minimize risk. The affected platforms could be in the thousands of devices and as an end-user, it can be next to impossible to know whether you need to update the device. This pushes the responsibility to the device vendor using the vulnerable TCP/IP stacks to produce an update which installs the updated firmware that uses an updated stack to any affected devices, and ultimately ensure the device in question has the ability to accept a firmware update via some form of update mechanism.

  Read Less
February 11, 2021
Jonathan Knudsen
Senior Security Strategist
Synopsys

The Number:Jack vulnerabilities highlight the difficulty of random numbers. Many algorithms in computing, and especially in cryptography, require random numbers, which means numbers that cannot be predicted ahead of time. 

 

Unfortunately, computers are not good at being unpredictable. “Random” numbers in computers are almost always created by a pseudo-random number generator (PRNG), an algorithm that produces a deterministic sequence of numbers. The PRNG can be seeded with something truly

.....Read More

The Number:Jack vulnerabilities highlight the difficulty of random numbers. Many algorithms in computing, and especially in cryptography, require random numbers, which means numbers that cannot be predicted ahead of time. 

 

Unfortunately, computers are not good at being unpredictable. “Random” numbers in computers are almost always created by a pseudo-random number generator (PRNG), an algorithm that produces a deterministic sequence of numbers. The PRNG can be seeded with something truly random, usually some electrical or atomic process, which makes the pseudorandom sequence impossible to predict. Most devices, however, do not have the required hardware for such a truly seed. 

 

"Another problem is that developers sometimes don’t understand how important a truly random seed is and will use much more deterministic sources for the PRNG seed, such as the system clock. Problems like these are compounded in IoT devices, where an update process might be difficult or missing entirely. Consequently, weaknesses and vulnerabilities present in IoT devices often persist indefinitely and offer an attractive attack surface for attackers.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.