Computer security researchers have discovered several critical security vulnerabilities that would affect more than a hundred million connected objects around the world. Once exploited, hackers would be able to take control of or disable any of these devices.
Over the years, many security breaches have been detected on our Internet-connected objects. We remember, for example, the story of these two ultra popular sex toys riddled with vulnerabilities, or the alert launched by the BBC after the discovery of many flaws in cheap connected doorbells.
However, the discovery of the computer security researchers of Forescout and Jsof is rather cold in the back. Indeed, these specialists got their hands on a set of 9 vulnerabilities. Called NAME: WRECK, these flaws threaten no less than one hundreds of millions of connected objects around the world.
If they were to be exploited, hackers would be able to trigger denial of service attacks (DDOS) for either take control of the device targeted via an RCE (Remote Control Execution), or to deactivate it. While these flaws naturally threaten individuals, the researchers do not hide their concern if hackers decide to attack connected objects used in hospitals or production lines in various industries.
Extremely dangerous flaws
Well used, these flaws could wreak havoc in a company’s network or a hospital, since a hacked connected object could serve as a gateway for hackers to access the servers of the targeted institution, for example. According to the research carried out by the Forescout and Jsof teams, these vulnerabilities are located in the TCP / IP libraries of connected objects.
These are no more and no less basic lines of code that integrate network communication protocols to establish connections between devices and the Internet. The researchers scoured 15 different libraries used on different devices, and found these flaws in 7 of them. After this discovery, Forescout and Jsof of course warned the manufacturers concerned, most of whom have deployed a patch.
Read also: Security: millions of connected objects threatened by a flaw in UPnP, urgently update
Correcting them all won’t be easy
Unfortunately, the problem is not resolved, since applying these updates is not the easiest. As the researchers explain, correcting all the flaws will be a real obstacle course, and this for many reasons :
- manufacturers do not necessarily have an automatic firmware update function for all their devices, which means that it has to be done on a case-by-case basis
- The published patches only apply to the most recent TCP / IP libraries, but many devices still run on older versions.
- Even more serious, the manufacturers did not manufacture the component on which the malicious code is executed and do not know which library is used on their device.
You would have understood it, it will therefore take time to ensure that each of the affected devices is rid of these flaws.. “With all these discoveries, I know it can feel like we’re just putting the issues on the table, but we’re really trying to raise awareness, work with the community and find ways to solve them ”, ensures the vice-president of Forescout Elisa Costante.