Although the Internet of Things (IoT) introduces remarkable ways to collect, manage, and apply data, it's also a huge vector for cyberattacks. One of the biggest vulnerabilities lies in embedded TCP/IP stacks, which combine applications, transport, network, and physical components.
In many respects, this architecture was never designed for the IoT. Although engineers and developers have attempted to modify and add extensions to the TCP/IP stack— and many pieces are now open source — the complexity of the environment, combined with the reality that it was never designed with security in mind, has introduced numerous security challenges, along with real-world problems.
"What makes the TCP/IP stack vulnerabilities notable is the sheer number of devices that are affected. The TCP/IP stack is a fundamental software component in every IoT device," explains Benson Chan, senior partner at Strategy of Things, a consulting and IoT implementation firm located in Hayward, Calif.
Why Is TCP/IP Such a Threat for the IoT?
At the most basic level, the TCP/IP architecture enables IoT devices to communicate with the network and each other. These stacks are open source and freely used by most embedded devices and IoT module manufacturers.
"IoT device manufacturers then buy the chips and modules with the TCP/IP stack code already embedded from these suppliers to create IoT products," Chan explains.
However, many of these manufacturers aren't aware that their devices are vulnerable, since they have no visibility into what stacks are used in the chips and modules that become part of IoT devices. What's more, it's not feasible or cost effective to analyze every single device to find and patch programming errors or other problems within the TCP/IP stack.
As a result, all devices are highly susceptible to attacks, breaches, and flaws. These can lead to performance failures, data loss or corruption, and brand damage. It can also increase cybersecurity costs.
"TCP/IP stack vulnerability management is becoming a real challenge for the security community," says Daniel dos Santos, research manager at Forescout.
What Threats Exist?
The extent of the problem is significant. Last year, a set of vulnerabilities dubbed URGENT/11 and RIPPLE20 made headlines. This year it's AMNESIA:33, with 33 zero-day vulnerabilities impacting four widely used open source TCP/IP stacks – uIP, FNET, picoTCP, and Nut/Net – that serve as foundational connectivity components for millions of IoT, OT, networking, and IT devices, including medical devices, industrial control systems, routers, switches, and smart home components. Attackers could use remote code execution, a denial-of-service (DoS) attack, or simply commandeer a device. Devices from upward of 150 vendors are at risk, according to Forescout, which reported the vulnerabilities last month.
Flaws can reside in both commercial and open source components. Embedded components can include systems-on-a-chip (SoCs), connectivity modules, and OEM boards. IoT devices may span smart plugs, smartphones, sensors, and game consoles. OT systems comprise access controls, IP cameras, protocol gateways, and HVACs. Network and IT devices include printers, routers, and servers.
"AMNESIA:33 changes the stakes not just because of the large number and critical nature of the vulnerabilities found, but also for several other reasons," dos Santos points out.
This includes the widespread and heavy reliance on open source components and the deeply embedded nature of the flaws within hardware. Code from these stacks intersect with every network packet that touches the device, thus allowing vulnerabilities to affect idle devices. Since source code is reused in 88% of embedded projects, it acts as a force multiplier for vulnerabilities such as AMNESIA:33, de Santos says.
Thus, attackers can use remote code execution (RCE) to take control of a target device and DoS to impair functionality and impact business operations. Attackers can also exploit an information leak to acquire potentially sensitive information and tap DNS cache poisoning to point a device to a malicious website, Forescout reports.
"The widespread nature of these vulnerabilities means that many organizations around the world may be affected by AMNESIA:33," according to Forescout.
How Can Organizations Address the Risk of TCP/IP Stack Vulnerabilities?
Experts point to three foundational steps for dealing with TCP/IP stack vulnerabilities: identifying all devices on a network to understand which are vulnerable; assessing the risks introduced by these devices, which include their business context, criticality, and Internet exposure; and mitigating the assessed risks.
"The last point can be achieved in several ways: patching devices when possible, segmenting the network and isolating critical devices, enforcing security compliance, and monitoring the network for malicious traffic," dos Santos explains.
In regard to AMNESIA:33, he recommends disabling or blocking IPv6 traffic and relying on internal DNS servers whenever possible.
"Several of the vulnerabilities affect these specific protocols in the stacks," he adds.
It's also wise to tap cybersecurity solutions that can automate and optimize best practices. This includes taking a more proactive approach, "such as segmenting and isolating critical devices — whether or not they have known vulnerabilities — to reduce exposure and limit the impact of breaches," dos Santos says.
An organization can also mitigate risk and potential damage by deploying IoT devices in segmented or isolated networks; staying on top of patches, policy updates, and device replacements; and implementing tighter and more granular controls over components and code, Chan says.
Among the key questions security teams should ask: "What is the legacy of the code? Who is or has worked on it, and are there people still working on it?," Chan explains. "[Open source] libraries have simplified coding, but at the same time developers need to also understand what is in it. It is too easy to link to a library without knowing the code in it."
To be sure, AMNESIA:33 and IoT vulnerabilities related to TCP/IP aren't going away.
"Most of the vulnerabilities in the Amnesia:33 TCP/IP stack are caused by poor software development and management practices," Chan says. "Updating the software will address the vulnerabilities. But the real problem is knowing which devices have the affected stacks. IoT device manufacturers buy the chips and modules from suppliers, and the actual software stacks used are typically not specified or known by them."