Sign In

Communications of the ACM

ACM TechNews

Critical Flaws in Millions of IoT Devices May Never Get Fixed

View as: Print Mobile App Share:
The flaws in the so-called TCP/IP stacks affect devices that offer no clear path to patching.

Forescout researchers found vulnerabilities in seven open source TCP/IP stacks.

Credit: Sam Whitney/Getty Images

Internet of Things (IoT) security firm Forescout uncovered 33 flaws, collectively labeled Amnesia:33, in seven open source TCP/IP stacks that potentially leave millions of IoT devices vulnerable.

Many of the bugs were basic programming errors, like missing input validation checks that keep a system from accepting problematic values or operations.

Patching these flaws is difficult if not impossible, as five stacks have been around for nearly two decades, while two have circulated since 2013; this means numerous versions and variants exist, with no central authority to issue fixes.

Moreover, manufacturers who have incorporated the code into their products would have to proactively adopt the correct patch for their version and deployment, then circulate it to users.

Said Forescout’s Elisa Costante, "What scares me the most is that it’s very difficult to understand how big the impact is and how many more vulnerable devices are out there."

From Wired
View Full Article


Abstracts Copyright © 2020 SmithBucklin, Washington, DC, USA


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account