It has been reported that vulnerabilities in the communications protocols used by millions of Internet of Things (IoT) and operational technology (OT) devices could allow cyber attackers to intercept and manipulate data. The vulnerabilities in some TCP/IP stacks have been detailed by cybersecurity researchers at Forescout, who’ve dubbed the set of nine new vulnerabilities as ‘Number:Jack’.
<p><span lang=\"EN-US\">The Number:Jack <wbr />vulnerabilities highlight the difficulty of random numbers. Many algorithms in computing, and especially in cryptography, require random numbers, which means numbers that cannot be predicted ahead of time.</span> </p> <p> </p> <p><span lang=\"EN-US\">Unfortunately, computers are not good at being unpredictable. “Random” numbers in computers are almost always created by a pseudo-random number generator (PRNG), an algorithm that produces a deterministic sequence of numbers. The PRNG can be seeded with something truly random, usually some electrical or atomic process, which makes the pseudorandom sequence impossible to predict. Most devices, however, do not have the required hardware for such a truly seed.</span> </p> <p> </p> <p><span lang=\"EN-US\">\"Another problem is that developers sometimes don’t understand how important a truly random seed is and will use much more deterministic sources for the PRNG seed, such as the system clock.</span> <span lang=\"EN-US\">Problems like these are compounded in IoT devices, where an update process might be difficult or missing entirely. Consequently, weaknesses and vulnerabilities present in IoT devices often persist indefinitely and offer an attractive attack surface for attackers.</span></p>
<p>As many IoT devices are essentially blackboxes of components used to do a specific single job, they use specialist embedded System-on-Chips (SoC) which have small amounts of storage. Therefore, it is understandable that so many have implemented barebones TCP/IP stacks that have re-introduced old security vulnerabilities, as these are devices that often have to work with limited resources and sometimes in real-time with limited CPU processing power.</p> <p> </p> <p>So choices were made, however, the risk/threat assessment was geared towards a different set of goals. As a result, it is good practice to treat IoT devices as insecure and vulnerable to attack by default and to build controls around them to minimize risk. The affected platforms could be in the thousands of devices and as an end-user, it can be next to impossible to know whether you need to update the device. This pushes the responsibility to the device vendor using the vulnerable TCP/IP stacks to produce an update which installs the updated firmware that uses an updated stack to any affected devices, and ultimately ensure the device in question has the ability to accept a firmware update via some form of update mechanism.</p>