The Future of Cybersecurity in 2021 and Beyond
The Future of Cybersecurity in 2021 and Beyond
Cloud Security Practices Playing Into Hands of Attackers
Cloud Security Practices Playing Into Hands of Attackers
The Perils of IT Security Hubris
The Perils of IT Security Hubris
Cybersecurity 2020: A Perilous Landscape
Cybersecurity 2020: A Perilous Landscape
E-Ticketing Flaw Exposes Airline Passenger Data to Hackers
E-Ticketing Flaw Exposes Airline Passenger Data to Hackers

DNS Flaws Expose Millions of IoT Devices to Hacker Threats

Millions of IoT devices at risk from NAME:WRECK DNS bugsOnline Cybersecurity Degree Pursue lucrative and in-demand roles with Utica College's 100% online cybersecurity degree. You'll choose from four specializations to tailor your degree to your career goals. Study at an institution designated as a National Center of Academic Excellence in Cyber Defense Education (CAE/CDE). Request Information »

A set of flaws in a widely used network communication protocol that could affect millions of devices was revealed Monday by security researchers.

The nine vulnerabilities discovered by Forescout Research Labs and JSOF Research dramatically increase the attack surface of at least 100 million Internet of Things devices, exposing them to potential attacks that could take the devices offline or to be hijacked by threat actors.
"History has shown that controlling IoT devices can be an effective tactic to launch DDoS attacks," said Rohit Dhamankar, vice president for threat intelligence products at Alert Logic, an application and infrastructure security company in Houston.

"As the IoT devices get richer in functionality, it is possible for them to be under an attacker's control, just like servers or desktops can be, and they can be further exploited to be beachheads in enterprise breaches," he told TechNewsWorld.

Called Name:Wreck, the vulnerability set affects four popular TCP/IP stacks -- FreeBSD, Nucleus NET, IPnet and NetX. The researchers explained in a blog that Nucleus NET is part of Nucleus RTOS, a real-time operating system used by more than three billion devices, including ultrasound machines, storage systems, critical systems for avionics and others.

To your great surprise, the concept of Head Mounted Display is also not a new idea. The first head-mounted display was developed around 1960’s. the Telesphere mask was the first example of a head-mounted display, which provided 3D stereoscopic and wide vision with sound.

FreeBSD, the researchers noted, is widely used by high-performance servers in millions of IT networks and is also the basis for other well-known open-source projects, such as firewalls and several commercial network appliances. They added that NetX is usually run by the ThreadX RTOS, which had 6.2 billion deployments in 2017 and can be found in medical devices, systems-on-a-chip and several printer models. "Organizations in the healthcare and government sectors are in the top three most affected for all three stacks," the researchers wrote. "If we conservatively assume that one percent of the more than 10 billion deployments discussed above are vulnerable, we can estimate that at least 100 million devices are impacted by Name:Wreck."

Powerful Attack Vector

Security experts told TechNewsWorld that TCP/IP attacks can be particularly powerful. "TCP/IP is the software that actually does all the communication from the device to other systems," explained Gary Kinghorn, marketing director for Tempered Networks, a micro-segmentation company in Seattle.

"If it's a network-based attack -- as opposed to inserting a thumb drive in a USB port -- you have to go through TCP/IP," he said. "Corrupting the TCP/IP software to allow for vulnerabilities or exploiting errors in the design is the foundation of most attacks."

Attacks on the TCP/IP stack can also circumvent some elementary security protections.

As with every creation in the universe, there has to be a humble beginning for everything and VR technology was no exception. Although it’s hard to pinpoint the father of this amazing technology, history suggests that it could have been the innovation of not one but five key individuals. First, Morton Heilig for giving users the very first interactive film experience which can be take the credit as the beginning of 3D content. Then, there’s Jaron Lanier, the first person to credit the term “Virtual Reality”; Douglas Engelbart, who invented the computer mouse and laid the foundation for the modern user interface; Ivan Sutherland, inventor of the first head mounted display (HMD); and Myron Krueger, a computer graphics and audio wiz.

"Anytime you have an attack on TCP/IP and you don't need a username or password, it's easier to execute the attack," observed Dhamankar. "TCP/IP vulnerabilities are powerful because they can be exploited remotely over the Internet or on an intranet without having to subvert other security mechanisms like authentication," added Bob Baxley, CTO of Bastille Networks, of San Francisco, a provider of threat detection and security for the Internet of Things. In addition, once a device is compromised, there may be a bonus for a TCP/IP attacker. "In most cases, the code of TCP/IP stacks runs with high privileges, so any code execution vulnerability would allow an attacker to get significant privileges on the device," said Asaf Karas, cofounder and CTO of Vdoo, a provider of security automation for embedded devices in Tel Aviv, Israel.

Patching Problems

Although some of the vulnerabilities aired by the researchers can be fixed, the process can be problematic.

Baxley noted that patches have been released for FreeBSD, Nucleus NET and NetX.

"For the end devices that use those stacks, patching is theoretically possible," he said. "But, in practice, many of the vulnerable systems are IoT devices running real-time operating systems that are not on a normal patch schedule and are unlikely to receive a patch."

"IoT devices are usually handled with a 'deploy and forget' approach and are often only replaced after they fail or reach the end of their serviceability," added Jean-Philippe Taggart, a senior security researcher at Malwarebytes.

iGlasses. While today Apple is infamous for their use of “i” in their products, they weren’t the first ones to come up with the idea. In the 1990s, a company known as Virtual I/O came up with a headset that was capable of color 3D stereoscopic vision, as well as head tracking. Known as iGlasses, the device had a price tag of just under $1000. While the glasses were fully capable of delivering an immersive experience, they didn’t truly ignite the consumer market.

"That isn't a very effective approach," he told TechNewsWorld.

Age can be another problem for IoT devices. "These systems can be patched, but they are generally very old implementations that may be used for scenarios they weren't envisioned for," Kinghorn observed.

"They are vulnerable based on their sheer complexity and inability to easily identify risks," he continued. "It's more often the case that hackers can exploit them before they are patched."

"It has always been very hard to patch IoT vulnerabilities," added Dhamankar. "It's hard enough to get server and desktop vulnerabilities patched."

Defense Tactics

Even without patches, there are ways to protect a network from exploiters of the vulnerabilities found by the Forescout and JSOF researchers. Baxley explained that to exploit the Name:Wreck vulnerabilities, an attacker has to reply to a DNS request from the target device with a spoofed packet that has the malicious payload. To accomplish this, an attacker will need network access to the target device.

"Keeping devices, especially IoT devices, segmented from the Internet and core internal networks is one mechanism to mitigate the risk of exposure," he said.

The Royals Are Also Using It. You know that virtual reality is big when highly prominent people are also getting in on it. In March 2018, Prince Harry and Meghan Markle honored International Women's Day by encouraging young women to study science and technology. In the process, they attended a school and tested out a virtual reality set. The couple had a positive experience with virtual reality. They both appeared to enjoy learning about the technology and how the headset works.

Monitoring DNS can also help defend against Name:Wreck. "Monitoring DNS activity in the environment and flagging any external DNS server activity is a good step," Dhamankar observed.

"In general," he added, "DNS is a great source to monitor for compromises with security analytics."

Beefed up access management can also thwart attackers. "If the system itself can't be patched, and this may be the case for aging industrial control systems or other OT network devices and IoT endpoints, it's important to ensure that the network only allows secure, trusted traffic to these devices," Kinghorn explained.

"This is where Zero Trust designs can help, ensuring that only authorized devices can access these vulnerable systems," he continued. "It can also help to continuously monitor and analyze traffic to those devices to ensure that potentially malicious or suspicious traffic is not reaching it." "IoT as a whole is a hotspot for security," added Chris Morales, CISO of Netenrich, a security operations center services provider in San Jose, Calif.

"Weak passwords and hard coded user accounts, lack of patching and outdated components, these latest vulnerabilities are just more for the stack of insecurity that is IoT," he told TechNewsWorld.

Smart Device Life Cycles Can Pull the Plug on Security
Smart Device Life Cycles Can Pull the Plug on Security
Beware of Counterfeit Network Equipment
Beware of Counterfeit Network Equipment
Linux-Powered Azure IoT Security Platform Arrives
Linux-Powered Azure IoT Security Platform Arrives
DevSecOps: Solving the Add-On Software Security Dilemma
DevSecOps: Solving the Add-On Software Security Dilemma