Amnesia:33 - IoT Security Flaws Affect Millions

As 2020 comes to a close, researchers at Forescout announced an entirely new suite of vulnerabilities that specifically affect the internet of things (IoT) devices. This disclosure, announced at the beginning of the European Blackhat conference, has been dubbed Amnesia:33. The Amnesia:33 suite of 33 unique vulnerabilities includes four critical memory corruption flaws that allow attackers to compromise affected devices, execute malicious code, efficiently conduct denial-of-service attacks, and exfiltrate sensitive information.

Amnesia:33 Includes Numerous Critical Flaws

The 33 vulnerabilities in the Amnesia:33 disclosure affect four widely used open source TCP/IP stacks. The connectivity software is a vital part of the communication stack on millions of IoT/OT, networking hardware, and more traditional IT devices. The flawed open source code is called uIP, FNET, picoTCP, and the Nut/Net stacks. This software is the primary network communication stack for devices made by more than 150 unique vendors affecting more than a million devices in use today around the world.

The list of attacks possible with these vulnerabilities reads like a hit list of the most critical attacks available. Memory corruption is the primary issue, which then can be exploited for several powerful attacks:

- Remote Code Execution (RCE) – Allows malicious actors to execute malicious code on the affected devices to take over and maintain control.
- Denial of Service (DoS) – Malicious actors can hinder the functionality or completely block access to affected devices.
- Information Leaks (InfoLeak) – Attackers can gain access to privileged or sensitive information using these flaws.
- DNS Cache Poisoning – Attacks on the DNS Cache will redirect devices or traffic to or from a device to a malicious website of the attacker’s choosing.

Staggering Numbers Affected

There is no exact number of devices that are affected by Amnesia:33 vulnerabilities. Still, the researchers at Forescout estimate more than 150 million devices are affected by one or more of these vulnerabilities. Part of the problem is that all of the affected software is open source. Several of them have existed for 20 years, which means there are numerous permutations that have been used countless ways in devices for a long time. Since all are open source, code has been “baked in” to code bases, and updates and patches require a proactive approach. Considering how IoT manufacturers acted in the past, there is little chance of fixes coming anytime soon.

Can’t Rely on Manufacturer Updates

Most of these devices are impossible to update because they rely on a System-on-a-Chip (SOC) architecture developed and produced by a third party, necessitating their involvement in any fixes. Any coordination is unlikely to happen as there is little incentive for the manufacturers of both the affected device and the third-party SOC maker to do the work to update their products. According to the whitepaper from Forescout, one of the SOC manufacturers affected by these flaws is no longer in business, further driving down the chances a fix will come from the manufacturers.

With no help coming for Amnesia:33, it is on organizations to find and contain these devices in their networks. For starters, organizations must have a complete and accurate inventory of their connected devices. Inventory is not a new task but one that most organizations have struggled with at best and are terrible at in many cases. In addition to knowing what is on the network, you also must understand the risk associated with these systems. To appropriately gauge risk, you have to consider numerous factors, such as lifecycle, patch levels, information processing, storage, and additional security. Once these risks have been identified, the organization must find a way to remediate, mitigate, eliminate, or manage the risk. Once these steps have been completed, the entire process must begin from the top to find new devices.

Solving Amnesia:33 with Securolytics

Fortunately, Securolytics has a tool that can help with Amnesia:33 issues. Securolytics offers a plug-and-play IoT security solution that gives organizations the visibility and control needed over connected devices on their corporate networks. Securolytics runs on any internal network by simply plugging into an available ethernet port. There is no need for SPAN or TAP ports or to run individual agents on any systems. Everything happens inside the Securolytics appliance.

For a limited time, we are offering the Securolytics IoT Mini at no charge to customers. The IoT Mini will automatically find and identify IoT devices, and it will detect IoT vulnerabilities without interference to devices or to the network. Request yours below and protect your organization from Amnesia.33 and other vulnerabilities.

Request Your FREE IoT Mini

Profile IoT Devices on Your Network
in Just Minutes

Learn More

Request Your FREE IoT Mini

Profile IoT Devices on Your Network
in Just Minutes

Click Here

Also, check out our our other blogs or our products in more detail.

John Nye

Technical Product Manager

Share This Blog