As 2020 comes to a close, researchers at Forescout announced an entirely new suite of vulnerabilities that specifically affect the internet of things (IoT) devices. This disclosure, announced at the beginning of the European Blackhat conference, has been dubbed Amnesia:33. The Amnesia:33 suite of 33 unique vulnerabilities includes four critical memory corruption flaws that allow attackers to compromise affected devices, execute malicious code, efficiently conduct denial-of-service attacks, and exfiltrate sensitive information.
There is no exact number of devices that are affected by Amnesia:33 vulnerabilities. Still, the researchers at Forescout estimate more than 150 million devices are affected by one or more of these vulnerabilities. Part of the problem is that all of the affected software is open source. Several of them have existed for 20 years, which means there are numerous permutations that have been used countless ways in devices for a long time. Since all are open source, code has been “baked in” to code bases, and updates and patches require a proactive approach. Considering how IoT manufacturers acted in the past, there is little chance of fixes coming anytime soon.
Most of these devices are impossible to update because they rely on a System-on-a-Chip (SOC) architecture developed and produced by a third party, necessitating their involvement in any fixes. Any coordination is unlikely to happen as there is little incentive for the manufacturers of both the affected device and the third-party SOC maker to do the work to update their products. According to the whitepaper from Forescout, one of the SOC manufacturers affected by these flaws is no longer in business, further driving down the chances a fix will come from the manufacturers.
With no help coming for Amnesia:33, it is on organizations to find and contain these devices in their networks. For starters, organizations must have a complete and accurate inventory of their connected devices. Inventory is not a new task but one that most organizations have struggled with at best and are terrible at in many cases. In addition to knowing what is on the network, you also must understand the risk associated with these systems. To appropriately gauge risk, you have to consider numerous factors, such as lifecycle, patch levels, information processing, storage, and additional security. Once these risks have been identified, the organization must find a way to remediate, mitigate, eliminate, or manage the risk. Once these steps have been completed, the entire process must begin from the top to find new devices.
Also, check out our our other blogs or our products in more detail.
Technical Product Manager
Share This Blog