AMNESIA:33 – A commentary from the research labs
Foresscout announced the discovery of a whole series of vulnerabilities found in TCP/IP stacks commonly used in IoT-devices. Franz Härtl has tried to find out what’s behind all that noise and asked Wicus Ross and Peter Holvoet from the Orange Cyberdefense Research Labs.
Franz: Hello Wicus and Peter. We heard a lot about AMNESIA:33 this morning and are all very curious about what details will be disclosed at Black Hat EU 2020 tomorrow. Could you tell me, in a nutshell, what this is about?
Peter: Cheap vendors commonly use opensource TCP/IP stacks with apps on top without security in mind. These stacks have now been found to include various vulnerabilities. With this everything can happen.That is a general problem and of course there are a lot of IoT devices with bad coding and without security in mind.
Franz: I see. So the problem is that the communication protocols, which allow devices and their apps to communicate to the internet, are badly implemented?
Peter: It’s all about coding on top of a TCP/IP stack. If this is done in a bad way and on top of a light OS that cannot be patched, then your complete network is in danger if the device is connected to your network and also attached to the outside world…
Franz: So an unpatchable IoT device could serve as a bridge or possible backdoor into an otherwise secure network, right?
Wicus: Potentially. The bigger problem here might be home networks. Enterprises can mitigate or replace devices that are out of support – home users are generally oblivious.
Peter: It would not be the first time that hackers enter a corporate network via an IoT device. No matter what it is, a thermostat accessible from the Internet … remember the Aquarium in the casino?
Wicus: Speaking to your point on the thermostat the Forescout blog post states: “The largest category is IoT devices, both enterprise and consumer, which includes devices such as cameras, environmental sensors (e.g., temperature, humidity), smart lights, smart plugs, barcode readers, specialized printers, and audio systems for retail. IoT is followed by OT equipment for Building Automation Systems, which includes devices such as physical access controls, fire and smoke alarms, energy meters, and HVAC systems. Then we have OT equipment for Industrial Control Systems, which includes devices such as RTUs, protocol gateways and serial-to-Ethernet gateways. Lastly is IT, which includes devices such as printers, switches and wireless access points.”
Peter: Correct, due to the vast majority of IoT devices from all manufacturers, the chance of vulnerabilities is much higher. Most of the companies don’t understand the difference between OT and IoT unfortunately. I have to explain that over and over again 😊. They all mention it in one breath …. it is not because IoT devices are connected in the OT network that it is the same, it is a completely different platform and IP based!
Franz: Why are these systems so hard or even impossible to patch?
Wicus: The manufacturers have probably put an end of life on some of the devices. In one case a System-on-a-chip-provider has gone out of business and the TCP/IP stacks were linked to it – Source: Wired (https://www.wired.com/story/amnesia33-iot-vulnerabilitiesmay-never-get-fixed/)
Peter: These are very small devices with a light OS and no agent and sold for peanuts.
Wicus: Yeah, most of the time it’s manual patching if patching is possible at all.
Peter: Patching for those devices means mostly put a new stack on top of it from OSI layer 0 to 7. Patching means that you have to put another application on top of it or close the security gaps in the application. Often there is no space to do so, so the complete stack needs to be replaced.
Franz: So no way to just “fix the issue”. The whole implementation has to be done from scratch basically?
Peter: IoT and OSI layers and security, yes. Because the device is so small and there is no space to fix the “app”. So there will indeed be a lot of IoT devices vulnerable, that will never be patched. Why do you think that there are so many IP cams that you can watch free in your browser? Some are even placed in shops and doctor’s waiting rooms. That’s not only because the default username and password have never been changed. Good practice security features like multi-factor authentication are not even possible on those devices.
Franz: Basically, this does not sound like anything dramatically new to me. It seems it does not make sense for vendors to invest in robust firmware or security for cheap IoT devices. But is there any standard or certification for customers who do care and would be happy to spend an extra buck on security?
Peter: There isn’t.
Wicus: “Fixing the issue” is possible if vendors are willing (which starts with their product being set up to do so). We have seen that vendors use open source software because it’s “free” and they can get going quickly. Yet even serious vendors have also done some missteps – look at Urgent/11. It is like Peter said: the vendors want to sell volume and thus not spend that much effort on reviewing their products to fix issues.
Peter: Every software can have vulnerabilities that were not foreseen. That is the nature of coding. It is finding the balance between user-friendliness, performance, cost … the more security you build in, the more those parameters will be jeopardized.
Wicus: Classes of software that are well known can be found – whitebox code review for example – but this is expensive. For me, the core of the problem is the lack of vendor incentive to invest in a product that they already shipped. There is no reward/benefit or penalty. Vendors are rewarded for selling new models – they get no benefit from spending more money on maintenance. Take Microsoft for example – they make sure the software is at an adequate functional and stable level with features their clients want – security will be address as they find issues.
Peter: “We will cross that bridge when we get there, for now, it is good enough with beautiful icons … ”
Franz: Is there anything that an organization or private person can do to protect themselves? Besides blocking the IoT device from the internet, which sort of defeats the purpose.
Peter: Best practice is to put the IoT devices on a separate network so if they get compromised, they stay isolated and don’t compromise the complete network.
Wicus: For the average person in the street – if possible, replace the device with a newer model that is under active support by the vendor.
Peter: For businesses, the problem starts when this person works from home and their home network is suddenly connected with the corporate enterprise network via remote access.
Franz: Nothing you can do with a consumer firewall? Like blocking certain vulnerable ports for affected devices?
Wicus: That depends on the application – Always have something in front of these devices that can monitor and control network flows.
Franz: What about enterprises? Especially regarding the problem of remote access we already mentioned? What can organizations do to prevent being affected by an employee, whose network was compromised by a faulty IoT device?
- Supply a Remote Access Point device that can enforce all the necessary controls – the laptop can then only connect to the RAP. The RAP connects to the home network.
- If using a VPN:
- Make sure VPNs are configured to use full tunnel configuration
- Do not allow the work device to interact with the local network
- Use an explicit DNS provider – that is configured by the VPN.
- Consider using mobile data instead of relying on the home users infrastructure