“You have the watches,” goes a famous quote with different variations throughout history but most recently attributed to a captured Taliban commander, “but we have the time.”
That quote is a perfect summation of the asynchronous nature of guerilla warfare, but lately, it’s also seemed to me to be just as relevant to the modern digital threat landscape and the barrage of attacks on pretty much anything and everything connected to the internet, from hardware to software to smartphones and so much more. The good guys on the other side of the table from what are often state-sponsored, well-resourced hackers are playing an incomprehensibly lopsided game of whack-a-mole, which is both an apt metaphor for the nature of the threat and still somehow manages to come nowhere close to encapsulating the stakes involved. Reminders, meanwhile, come in the form of things like new research (from the security firm Forescout) showing that tens of millions of Internet of Things and smart devices and machines have critical security flaws making them vulnerable to mischief from hackers.
“Today, Forescout Research Labs, partnering with JSOF Research, disclose NAME:WRECK, a set of nine vulnerabilities affecting four popular TCP/IP stacks (FreeBSD, Nucleus NET, IPnet and NetX),” explains a Forescout report, about the newly discovered vulnerabilities. “These vulnerabilities relate to Domain Name System (DNS) implementations, causing either Denial of Service (DoS) or Remote Code Execution (RCE), allowing attackers to take target devices offline or to take control over them.”
Details of these vulnerabilities will be presented during the first week in May at the information security conference Black Hat Asia 2021. According to Forescout’s researchers, health care and government organizations are among the most vulnerable to all three TCP/IP stacks. Ominously, Forescout’s rough estimate shows that as many as 100 million devices or more could be affected by NAME:WRECK.
Complete protection against these vulnerable versions of the TCP/IP stacks requires patching the devices, which this report recognizes is not always possible and sometimes difficult. That’s because of the required effort potentially changing “drastically,” depending on whether the device in question is a standard IT server or an Internet of Things device.
Stepping back to look at the bigger picture here, meanwhile, a recent piece by Ian Ferguson, penned for Security Boulevard, does a good job of explaining what needs to change in the realm of internet security as it relates to IoT devices. He cites a quote from Microsoft during an Azure Sphere initiative from a few years ago — Lock all the doors, not just the front one.
“When we leave our homes, we lock the front door,” Ferguson writes. “In the world of IoT, we need to lock every door — inside the house as well as those that connect outside. From a network perspective, if there’s a breach, the entrant only gains access to a subset of the valuable assets.”
There have to be partitions, in other words, between software and hardware such that, if an operating system is taken over, core system functions can continue. Security and system access processes, in other words, need to be “decoupled” from the operating systems, he writes. Meanwhile, don’t expect this problem to go away anytime soon — our fetish for adding internet connections to just about everything these days means the attack surface hackers enjoy keeps getting exponentially, and terrifyingly, bigger.