There is no evidence of any intrusions that made use of these vulnerabilities. But their existence in data-communications software central to internet-connected devices prompted the
Potentially affected devices from an estimated 150 manufacturers range from networked thermometers to “smart” plugs and printers to office routers and healthcare appliances to components of industrial control systems, the cybersecurity firm
In the worst case, control systems that drive "critical services to society" such as water, power and automated building management could be crippled, said
In its advisory, CISA recommended that users take defensive measures to minimize the risk of hacking. In particular, it suggested cutting off industrial control systems from the internet and isolated from corporate networks.
The discovery highlights the dangers that cybersecurity experts often find in internet-linked appliances designed without much attention to security. Sloppy programming by developers is the main issue in this case, Rashid said.
Fixing the problems, which could afflict millions of impacted devices, is particularly complicated because they reside in so-called open-source software, code freely distributed for use and further modification. In this case, the issue involves fundamental internet software that manages communication between internet devices via a technology called TCP/IP.
Fixing the vulnerabilities in impacted devices is particularly complicated because open-source software isn't owned by anyone, said
It is up to the device manufacturers themselves to patch the flaws and some may not bother given the time and expense required, she said. Some of the compromised code is embedded in a component from a supplier — and if no one documented that, no one may even know it's there.
“The biggest challenge comes in finding out what you’ve got,” Rashid said.
If unfixed, the vulnerabilities could leave corporate networks open to crippling denial-of-service attacks, ransomware delivery or malware that hijacks devices and enlists them in zombie botnets, the researchers said. With so many people working from home during the pandemic, home networks could be compromised and used as channels into corporate networks through remote-access connections.
The company discovered the vulnerabilities in what it called the largest study ever on the security of TCP/IP software, a year-long effort it called Project Memoria.
Copyright 2020 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission., source