Enterprise of Things security watchdog, Forescout has revealed widespread vulnerabilities affecting millions of devices globally through its AMNESIA:33 study. The nature of these vulnerabilities across so many different devices, covering all aspects of business means that most organisations will be at risk.
AMNESIA:33 is a set of 33 memory-corrupting vulnerabilities affecting four open-source TCP/IP stacks: uIP; FNET; picoTCP; and Nut/Net. These open-source stacks are not owned by a single company and are used across multiple codebases, development teams, companies and products. This presents significant challenges to patch management. As a result, Forescout has identified hundreds of vendors and millions of Internet of Things (IoT), Industrial IoT (IIoT), Internet of Medical Things (IoMT), operational technology (OT), and IT devices at risk worldwide.
The TCP/IP stacks affected by AMNESIA:33 can be found in operating systems for embedded devices, systems-on-a-chip, networking equipment, OT devices and a myriad of enterprise and consumer IoT devices such as:
•    IoT devices: cameras; environmental sensors (e.g., temperature, humidity); smart lights; smart plugs; barcode readers; specialised printers; retail audio systems; and healthcare devices.
•    Building automation systems: physical access control; fire and smoke alarms; energy meters; batteries; and heating, ventilation and air conditioning (HVAC) systems.
•    Industrial control systems: physical access control; and fire and smoke alarms.
•    IT devices: printers; switches; and wireless access points.
TCP/IP stacks are critical components of all IP-connected devices, including IoT and OT, since they enable basic network communication. A security flaw in a TCP/IP stack can be extremely dangerous because the code in these components may be used to process every incoming network packet that reaches a device. This means that some vulnerabilities in a TCP/IP stack let a device be exploited simply by being connected to a network and powered on.

What could this look like in a manufacturing organisation?
The goal of the attacker might be to tamper with a production line via its OT network. To do this, the attacker first compromises a virtual private network (VPN)-connected employee’s laptop, which may sit at the office or in someone’s home, via phishing. After compromising the laptop, the attacker can move laterally by exploiting EternalBlue, ZeroLogon or other Windows vulnerabilities to an engineering workstation that manages a production line at the manufacturing plant. From there, the attacker can finally reach critical devices at the plant.
If the attacker chooses to tamper with a protocol gateway that connects serial-enabled physical equipment in a production line (such as conveyor belts, sensors and actuators) to the control network, the attacker will be able to halt production, disable quality control, or inject false data to create products that are not up to standard.
Greg Clark, CEO, Forescout, said that over the several few years, he had seen an escalation in attacks leveraging connected devices. “What the world is just beginning to understand though is that traditional IT devices represent only the tip of the iceberg when it comes to cyber risk and that the proliferation of unagentable IoT, OT and other connected devices will create a potentially far greater attack surface.
“The nature of vulnerabilities like AMNESIA:33 fundamentally changes our understanding of the risks posed by connected devices. Organisations are only as strong as their weakest link, and executives and boards of directors have a responsibility to understand the full spectrum of the attack surface all the way down to the supply chain level, as they deploy controls to buy-down the risk of network compromise or ensure business continuity.  
“Given the widespread nature of these vulnerabilities and the difficulty in remedying them at scale, it is only a matter of time before they are exploited. Organisations must ready themselves before that time comes or else knowingly leave themselves open to attack.”
Forescout senior director, systems engineering – Asia Pacific & Japan, Steve Hunter said this research highlights that potentially any network-connected device in the world may have inherent vulnerabilities as part of its code that could lead to significant security breaches if those vulnerabilities are weaponised by hackers. “Even traditional home devices pose a risk for organisations with the new normal being the distributed workforce. This potentially opens a new access path to corporate assets through home devices that have these types of vulnerabilities.
“The reality is, once hackers realise the potential here and exploits are developed, we will see a spike in attacks on these devices. These types of vulnerabilities are now pervasive across the enterprise and we will continue to find more examples in existing and unpatchable devices as well as in the new devices being added to networks to enable new applications.”
AMNESIA:33 is the first study under Project Memoria, an initiative launched by Forescout Research Labs that aims at providing the community with the largest study on the security of TCP/IP stacks. Project Memoria’s goal is to develop the understanding of common bugs behind the vulnerabilities in TCP/IP stacks, identifying the threats they pose to the extended enterprise, and how to mitigate those.