DNS vulnerabilities put millions of IoT devices at risk of hacking
14 April 2021 | 0
Security researchers have warned of a slew of DNS flaws that could affect millions of Internet of Things (IoT) devices.
According to researchers at Forescout, the nine vulnerabilities have been dubbed “NAME:WRECK,” and they affect four popular TCP/IP stacks: FreeBSD, Nucleus NET, IPnet, and NetX. These vulnerabilities relate to Domain Name System (DNS) implementations, causing Denial of Service (DoS) or Remote Code Execution (RCE), allowing attackers to target devices offline or take control of them.
The researcher said the widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface.
Forescout researchers teamed up with JSOF to find the flaws and added that these can impact over 100 million consumer, enterprise, and industrial IoT devices worldwide. Millions of IT networks use FreeBSD, including Netflix and Yahoo. Meanwhile, IoT/OT firmware, such as Siemens’ Nucleus NET has been used for decades in critical OT and IoT devices.
If exploited, among the plausible scenarios researchers laid out included exposing government or enterprise servers by accessing sensitive data, such as financial records, intellectual property, or employee/customer information. They could also compromise hospitals by connecting to medical devices to obtain health care data, taking them offline and preventing health care delivery.
Hackers could also use the flaws to access critical residential and commercial building functions, including major hotels, to endanger residents’ safety. This could include tampering with heating, ventilation and air conditioning systems, disabling critical security systems, or shutting down automated lighting systems.
Researchers said that unless urgent action is taken to adequately protect networks and the devices connected to them, “it could be just a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security.”
“NAME:WRECK is a significant and widespread set of vulnerabilities with the potential for large-scale disruption,” said Daniel dos Santos, research manager, Forescout Research Labs. “Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks and so we encourage all organisations to make sure they have the most up-to-date patches for any devices running across these affected IP Stacks.”
Dennis Publishing News Service
Is this an area of interest? Tailored training for IT Professionals
The Irish Computer Society provides members with the necessary qualifications, skills and training needed to succeed and excel within the profession.
Upcoming courses which may be of interest include:
- Certificate in Business Analysis – offers academic accreditation for business analysts through the use of proven business analysis techniques. Up to 100% funding available.
- European Certified Data Protection Officer (ECDPO) – This programme has been designed to equip Data Protection Officers with the necessary skills and competencies to meet and maintain all aspects of data protection compliance.
- CDPP – Certified Data Protection Practitioner – Be confident that your organisation’s policies and procedures are legally compliant with data protection legislation by completing Ireland’s first certified data protection practitioner programme.