Millions of connected devices have security flaws, study shows

Millions of “internet of things” devices using software from groups including Siemens and Microsoft contain security flaws that could be used to compromise government servers or hospitals, new research has found.

Cybersecurity company Forescout and JSOF on Tuesday said they uncovered nine different bugs in several popular software tools that are used within millions of consumer, business and industrial devices to help them connect to the internet.

While it is unclear whether hackers have ever made use of the flaws, researchers described it as only a “matter of time” before they are exploited unless urgent action is taken to update systems — a warning backed by the US Cybersecurity and Infrastructure Security Agency (CISA). 

Forescout estimated that more than 100m connected gadgets, including printers, medical devices and industrial equipment, are exposed to the vulnerabilities, which are found in software developed by Siemens as well as certain open-source software, including some maintained by Microsoft.

Dubbed NAME: WRECK, the flaws allow hackers to hijack Domain Name System (DNS) infrastructure — the database that translates domain names into IP addresses that computers can recognise when devices are connecting to the internet.

“NAME: WRECK is a significant and widespread set of vulnerabilities with the potential for large-scale disruption,” said Sandro Etalle, security professor at Eindhoven University of Technology. 

“Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just be a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security.”

Elisa Costante, Forescout’s vice-president of research, said: “We have seen it running in building automation machines, in bed monitoring for healthcare, in some defibrillators.”

The research lays bare the cyber security risks of the booming internet of things and points to errors made by multiple developers who wrote some of the code underpinning its infrastructure.

Kurt John, chief cyber security officer for Siemens USA, said the company had collaborated with Forescout to “quickly identify and mitigate the aforementioned vulnerability”.

In an alert, Siemens said it had “released updates for several affected products and recommends to update to the latest versions” or “specific countermeasures” for products where updates are not possible or available.

US cyber officials at CISA also issued two alerts on Tuesday urging users exposed to the Siemens vulnerabilities to take “defensive measures to minimise the risk of exploitation”. 

Microsoft did not respond to a request for comment. But Etalle noted that the company had fewer and less critical vulnerabilities than Siemens.

Etalle said the set of flaws “stand out” in particular because they impact IT as well as operational technology (OT) — the computerised systems used to control industrial operations. Fixing software issues in the latter is typically far harder than the former, as doing so can be extremely costly and disruptive to critical operations.

Both he and Costante called for vendors to provide more visibility into which software components go into their IoT devices by providing a list known as a “software bill of materials”. This is because some vendors may not even know if their products use the afflicted software owing to a lack of transparency in the IoT supply chain.

“If you don’t know what’s inside when there’s a vulnerability, you don’t know whether you are affected,” Santos said.