US Cybersecurity Agency Flags Vulnerabilities on Millions of Smart Devices Using Open-Source Software

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a bulletin on December 7 after cybersecurity researchers claim to have found vulnerabilities in software, which are commonly used by millions of internet-connected devices.

According to Washington Times, Forescout Technologies, a cybersecurity firm, published a report on December 8 which flagged about 150 manufacturers of devices that are potentially affected by the flaws ranging from "smart" plugs, printers, routers to networked thermometers, healthcare appliances, and industrial control system components.

US Cybersecurity Agency Flags Vulnerabilities on Millions of Smart Devices
US Cybersecurity Agency Flags Vulnerabilities on Millions of Smart Devices Thomas Kolnowski/Unsplash

Hackers could exploit these flaws to penetrate home and business networks and destroy them. However, researchers found that the highly affected devices are remote-controlled temperature cameras and sensors.

US Cybersecurity Agency flags vulnerabilities found in millions of iOT devices

The CISA flagged the vulnerabilities in a bulletin, even without any evidence of an intrusion made using these flaws. The agency advised users to make defensive actions to reduce the risk of being hacked. It suggested removing online industrial control systems, which are isolated from the corporate network.

The CISA Weekly Vulnerability Summary Bulletin listed the flaws divided into low, medium, and high vulnerabilities, which are determined by the Common Vulnerability Scoring System standards. It is based on the severity and vulnerability naming standard Common Vulnerabilities and Exposures.

Forescout discovered the vulnerabilities after doing a research on TCP/IP software security. It was the largest study dubbed as Project Memoria, which took a year to complete. The company has already alerted U.S., Japanese, and German computer security authorities as well as informed numerous vendors and companies about their discovery, which it called AMNESIA:33. However, Forescout's vice president of research Elisa Costante said it was virtually impossible to identify all devices affected by the flaw.

US Cybersecurity Agency Flags Vulnerabilities on Millions of Smart Devices
US Cybersecurity Agency Flags Vulnerabilities on Millions of Smart Devices Mika Baumeister/Unsplash

Bristol University computer scientist Awais Rashid who reviewed the Forescout discoveries said control systems for "critical services to society" like power water, and automated building management could be crippled by these flaws.

Rashid also said the study highlights on the dangers, which are often found on internet-linked appliances by cybersecurity experts. These are caused developers' poorly-design and messy programming that has low regard on the security of these devices.

How to fix these vulnerabilities on smart devices

Since the extent of these flaws affects millions of devices, fixing the issues is rather complicated because most devices use open-source software, which are freely-distributed codes that are lightly altered. This case involves basic internet software, which manages communication between the smart devices trough TCP/IP technology.

Costante noted that fixing the flaws in these devices is highly complex. The software is open-sourced and usually often maintained by volunteers. However, Costante said that since the vulnerable TCP/IP code is already two decades old, it is no longer supported.

Meanwhile, Rashid said that the biggest challenge is "finding out what you've got." Since some of the compromised codes are rooted in a component from another supplier, victims and even the manufacturers may not even know it is there since no one has ever documented such instance.

The manufacturers would need to patch the flaws themselves, although some may not even bother to spend time and money to do so. If left unfixed, these vulnerabilities would leave networks of companies open to various attacks like malware, ransomware, denial-of- attacks, and others that hijack devices.

As the world suffers from the pandemic forcing million of people and companies to switch to working from home, home networks are at high risk getting compromised and used by hackers to get access into corporate networks.

This is owned by Tech Times

Written by CJ Robles

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics