Over the last several years, we’ve seen an escalation in attacks leveraging connected devices. The world is just beginning to understand, though, that traditional IT devices represent only the tip of the iceberg when it comes to cyber risk. The proliferation of agentless IoT, OT and other connected devices will create a potentially far greater attack surface. Within these devices lies a new layer of risk, one now further illuminated by new research by Forescout Research Labs.
The vulnerabilities discovered and discussed here could allow a cyber attacker to steal data, shut down systems or even take full control of the devices themselves.
AMNESIA:33 is a set of 33 new memory corruption vulnerabilities affecting four popular open-source TCP/IP stacks: uIP, FNET, picoTCP and Nut/Net. These open-source stacks are used across many software and firmware packages, development teams, companies and products, presenting significant challenges to patch management. As a result, Forescout has identified hundreds of vendors and millions of IoT, OT and IT devices potentially at risk worldwide and has been working behind the scenes for several months with package owners to alert them to these issues and help them remediate them where possible. You can read more details about the vulnerabilities announced by our researchers here.
The nature of vulnerabilities like AMNESIA:33 fundamentally changes our understanding of the risks posed by connected devices. While organizations may be able to speak with confidence about the security of the devices they allow inside their environments, it is impossible to have that same level of certainty at every level of embedded systems down to the chipset. Moreover, because vulnerabilities like AMNESIA:33 are not tied to a specific device or application, organizations may not be able to patch them. These factors make elevating the conversation to the highest levels of the company all the more important and require a new approach to identify, segment and enforce compliance of every connected thing, especially those that are suspected risky assets.
Organizations are only as strong as their weakest link. Executives and Boards of Directors have a responsibility to understand the full spectrum of the attack surface all the way down to the supply chain level, as they deploy controls to buy-down the risk of network compromise and help to ensure business continuity.
A Global Project to Lay Foundation for More Secure Device Development
This new disclosure represents research at the heart of interconnected device understanding. When I talk to the CIOs and CISOs of the biggest organizations worldwide, this threat from managed and unmanaged devices infiltrating their networks is top of mind, and they are actively taking steps to address that enterprise risk. The widespread nature of vulnerabilities of this type demands that enterprises have a fulsome set of compensating controls.
As the leader in Enterprise of Things security, Forescout believes it is our responsibility to invest in this type of research so we can continue to raise awareness for critical risks. AMNESIA:33 represents the first disclosure under what we call Project Memoria, an ongoing effort by Forescout Research Labs to discover and shine light on these types of software component vulnerabilities to help organizations better secure their Enterprise of Things devices.
In addition to its research under Project Memoria, Forescout collaborates with industry peers, universities and research institutes to understand the vulnerabilities in TCP/IP stacks and how such threats can be mitigated. Forescout is proud to lead the way, but this is an important emerging research category that demands full industry participation.
I am incredibly proud of the Forescout team for their hard work and dedication to this critical area of research and commitment to servicing the industry.
Given the widespread nature of these types of vulnerabilities and the difficulty in remedying them at scale, it is only a matter of time before they are exploited. Organizations must ready themselves before that time comes or knowingly leave themselves open to attack.