Vulnerabilities in the communications protocols used by millions of Internet of Things (IoT) and operational technology (OT) devices could allow cyber attackers to intercept and manipulate data.
The vulnerabilities in some TCP/IP stacks have been detailed by cybersecurity researchers at Forescout, who’ve dubbed the set of nine new vulnerabilities as ‘Number:Jack’.
It forms ongoing research by the cybersecurity company as part of Project Memoria, an initiative examining vulnerabilities in TCP/IP stacks and how to mitigate them.
The latest disclosures are based around a fundamental aspect of TCP communication in embedded devices: Initial Sequence Number (ISN) generation. These ISNs are designed to ensure that every TCP between two computers or other internet-connected devices is unique and that third parties can’t interfere with or manipulate connections.
In order to ensure this, ISNs need to be randomly generated so an attacker can’t guess it, hijack it or spoof it. It’s a fundamental of computer security that was already known in the 90s – but when it comes to security of IoT devices, researchers found that this old vulnerability was present as numbers weren’t completely random, so the pattern of ISN numbers in these TCP communications could be predicted.
“This stuff has been mostly fixed in Windows and Linux and the typical IT world. But when you look into the IoT world, this stuff is happening again,” Daniel dos Santos, research manager at Forescout told ZDNet.
“It’s not difficult for us or an attacker to find this type of vulnerability because you can clearly see the way the numbers are generated by the stack is predictable,” he added.
By predicting an existing TCP connection, attackers could close it, essentially causing a denial-of-service attack by preventing the data from being transferred between devices. Alternatively, they could hijack it and inject their own data into the session, through which it’s possible to intercept unencrypted traffic, add file downloads to serve malware or use HTTP responses to direct the victim to a malicious website. It’s also possible for attackers to abuse TCP connections of the embedded devices to bypass authentication protocols, which potentially provide attackers with additional access to networks.
All of the vulnerabilities were discovered and disclosed to the relevant vendors and maintainers of affected TCP/IP stacks by October 2020.
TCP/IP stacks found to contain the vulnerabilities include several open-source stacks analysed in Forescout’s previous study, including uIP, FNET, picoTCP, Nut/Net, cycloneTCP and uC/TCP-IP. Vulnerabilities have also been discovered in Siemens’ Nucleus NET, Texas Instruments’ NDKTCPIP and Microchip’s MPLAB Net.
The majority of of the vendors have patched to protect devices against the vulnerabilities or are in the process of doing so, although researchers note that one hasn’t responded to the disclosure at all. ZDNet has attempted to contact each of the vendors detailed in the research paper for a response.
Forescout hasn’t publicly identified the exact devices that rely on the nine stacks found to have vulnerabilities in order to prevent them becoming potential victims of attacks. However, they do note that systems including medical devices, wind turbine monitoring systems and storage systems are all reliant on systems known to use the examined stacks.
To help protect against attacks, Forescout Research Labs has released an open-source script to help identify stacks discovered to have vulnerabilities as part of Project Memoria.
It’s recommended that if these vulnerabilities are uncovered on the network that security patches are applied to prevent attackers from taking advantage. It’s also suggested that when it isn’t possible to patch IoT or OT devices, the affected products are segmented onto part of the network that will reduce the likelihood of compromise.
The research also serves as a reminder that, when it comes to security of IoT devices, there are security lessons to be learned from IT security that must be applied – especially when it comes to fundamentals that have been known about for decades.
“The foundations of IoT are vulnerable and not just for one vendor or specific device – it’s across several types of devices and the software components used in these devices. It’s often that they share similar types of vulnerabilities,” said dos Santos.
“The reason we’ve looked across TCP stacks is to show that history’s repeating again in several stacks. This provides proof that people should be looking at what has happened before and how that affects their operations – all down the IoT supply chain,” he added.