Security researchers have discovered a set of DNS vulnerabilities affecting popular IoT firmware, putting over 100 million consumer, enterprise and industrial internet-connected devices at risk worldwide.
The vulnerabilities, dubbed NAME:WRECK, affect FreeBSD, IPnet, Nucleus NET and NetX. These are TCP/IP stacks, a set of rules that govern how a computer system connects to the internet.
FreeBSD, for example, is an open-source operating system that powers high-performance servers in millions of IT networks, including those of Yahoo and Netflix. Printers are among the most common type of devices running FreeBSD.
Researchers at security company Forescout, which disclosed the vulnerabilities in partnership with Israeli consultancy JSOF, warned that the DNS vulnerabilities have the potential to impact a wide range of sectors, including healthcare, manufacturing, retail and government.
Forescout said the NAME:WRECK vulnerabilities could be used to hijack medical devices in hospitals and manufacturing equipment in factories. Once compromised, an attacker could hypothetically steal data or turn systems offline.
The San Jose, US, headquartered company also said the security flaw could be used to switch off internet-connected lights in shops or steal data from enterprise servers.
“NAME:WRECK is a significant and widespread set of vulnerabilities with the potential for large scale disruption,” said Daniel dos Santos, research manager at Forescout Research Labs. “Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up to date patches for any devices running across these affected IP Stacks.”
NAME:WRECK is believed to put more than 36,000 devices at risk in the UK.
Forescout is urging security professionals to implement security fixes and has published mitigation advice for vendors, which can be found here. The note concedes that patching for legacy IoT devices may not always be possible and advises taking other precautions, such as network segmentation, and relying more on internal DNS servers.
“Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security,” added dos Santos.
The ever-growing number of internet-connected devices has created headaches for cybersecurity professionals. According to GlobalData’s thematic research, the “increasing number of connected devices increases the attack surface for malicious actors”, causing the market intelligence firm to rank cybersecurity as the most important theme in the IoT sector.