Why TCP/IP is a threat to the Internet of Things

This article is reproduced from the WeChat public account "Shushi Consulting" (dwconcn).

Although the Internet of Things has brought new ways of data collection, management and application, it has also brought a large number of network security attacks. One of the major hidden dangers lies in the TCP/IP architecture, including the application layer, transport layer, network layer and physical layer.

In fact, from various perspectives, the TCP/IP architecture was not designed for the Internet of Things. Although engineers and developers are trying to modify or add extensions to the TCP/IP architecture, the complexity of the environment itself, coupled with the fact that security was not taken into account when the TCP/IP architecture was designed, this process has brought many security challenges - some of which are practical problems.

Benson Chan, senior partner at Strategy of Things, a California-based IoT consulting and application company, believes that TCP/IP is a major hidden danger because it is the basic software component of almost all IoT devices, so the number involved is extremely large.

[[382547]]

Why is TCP/IP a threat to the Internet of Things?

At the most basic level, TCP/IP architecture enables IoT devices to communicate with the Internet and other devices. These architectures are open source and are freely available to most embedded device and IoT component manufacturers.

Chan added: “IoT device manufacturers will buy chips and components that already have TCP/IP architecture code built into them and use those components to build IoT products.”

Unfortunately, many IoT device manufacturers do not know if their devices are vulnerable because they have no visibility into the architecture used in the chips and components. In addition, it is not feasible to analyze each device and find programming errors or other problems in the TCP/IP structure.

As a result, all devices are vulnerable to attacks, resulting in information leakage, equipment failure, data loss or damage, and ultimately damage to the brand. Similarly, this will also increase network security costs.

"Managing vulnerabilities in the TCP/IP architecture is becoming a real challenge for the security community," said Danile dos Santos, research manager at Forescout.

What are the threats?

Just last year, a series of vulnerabilities such as URGENT/11 and RIPPLE20 had a huge impact. This year, 33 other vulnerabilities such as AMNESIA:33 affected four commonly used open source TCP/IP architectures - uIP, FNET, picoTCP, and Nut/Net. These four architectures are the basic components of millions of IoT devices, industrial equipment, and network devices including medical devices, industrial control systems, routers, switches, and smart homes. Attackers can use these vulnerabilities to perform remote code execution, DoS attacks, and even forcibly occupy devices. According to a report by Forescout last month, devices from more than 150 manufacturers are at risk.

These vulnerabilities may exist in commercial or open source components. Embedded components include chip-level systems, connection components, OEM motherboards, etc.; IoT devices include smart plug-ins, smartphones, sensors, game controllers, etc.; OT systems include access control, IP cameras, protocol gateways, HVAC, etc.; network and IT equipment include printers, routers, servers, etc.

dos Santos pointed out that AMNESIA:33 is so impactful not only because of the large number of devices that have the vulnerability, but also for several other reasons. One of the reasons is the widespread and heavy reliance on open source components in hardware. The code in these structures touches almost every packet that interacts with the device, allowing these vulnerabilities to affect idle devices. Since source code is reused in 88% of embedded projects, this can multiply the impact of vulnerabilities such as AMNESIA:33.

According to the Forescout report, attackers can control the target device through remote code execution, and then perform DoS attacks to affect its performance, ultimately damaging the business. Attackers can also obtain sensitive information through information leakage vulnerabilities and use DNS poisoning to direct the target device to malicious websites.

According to the report: "Due to the widespread nature of the vulnerability, many organizations around the world may have been affected by AMNESIA:33."

How can organizations address vulnerabilities in the TCP/IP architecture?

Experts point out that addressing vulnerabilities in the TCP/IP architecture can be divided into three basic steps: identifying all devices on the network and realizing which ones are vulnerable, assessing the risks posed by these devices - including business relevance, severity, and Internet exposure, and finally mitigating the assessed risks.

“This last point can be achieved in a variety of ways: patching, segmenting the network and isolating critical devices, enforcing security compliance, and monitoring the network for malicious traffic,” dos Santos added.

Specifically for AMNESIA:33, he recommended disabling and blocking IPv6 traffic and relying on internal DNS servers whenever possible; several protocols in the architecture are affected by multiple vulnerabilities.

Likewise, organizations can rely on cybersecurity solutions to automate and optimize best practices. This includes taking a more proactive approach, such as isolating critical devices, whether or not they have vulnerabilities, to reduce risk exposure and limit the impact of attacks.

On the other hand, the security team can answer the following key questions: Is the code formal? Who are the contributors to this code, and is anyone still maintaining this code? Open source code bases do simplify the programming process, but this still requires developers to understand what is in the code base - after all, too many times now, developers will easily connect to a code base without understanding the content of the code.

Oh, and AMNESIA:33 and other TCP/IP-related IoT vulnerabilities don’t seem likely to go away anytime soon.

"Most of the vulnerabilities in AMNESIA:33 are caused by poor software development processes and management practices," Chan said. "Updating software can solve some of the problems, but the key is to know which devices have the affected architecture. IoT device manufacturers buy chips and components from suppliers, but they themselves don't know what software is in them."

Reviews

The development of the Internet of Things is an inevitable trend, but whether the traditional Internet network architecture and software can support IoT devices has become a question - and the answer may not be ideal. It is obviously difficult for users of physical network devices to directly affect the security of IoT devices themselves, but the impact of IoT device risks can be reduced by strengthening the management and control of IoT devices; and the security of the underlying devices themselves requires IoT manufacturers, chip suppliers, etc. to improve security awareness and attention, so as to provide safer IoT devices.