Widespread IoT, OT vulnerabilities reported

An estimated 150 vendors and millions of devices, including Internet of Things (IoT) and operational technology (OT) devices, could be at risk from security vulnerabilities revealed by cybersecurity vendor Forescout.

The company announced it has identified a set of vulnerabilities called AMNESIA:33, found in widely-used open-source TCP/IP stacks.

The stacks are used in a wide range of operating systems for embedded devices, systems-on-a-chip, networking equipment, OT devices and enterprise and consumer IoT devices, Forescout reports.

According to Forescout, this includes such IoT devices as cameras, environmental sensors, smart lights, smart plugs, barcode readers, specialised printers, retail audio systems and healthcare devices.

Building automation systems are also affected, Forescout reports. It pointed to physical access control, fire and smoke alarm, energy meters, batteries, and heating, ventilation and air conditioning (HVAC) systems as systems that could use the vulnerable TCP/IP stacks.

Other systems that could use the vulnerable TCP/IP stacks include physical access controls, fire and smoke alarms, printers, network switches and wireless access points.

Four of the vulnerabilities could allow remote code execution on some devices, according to Forescout.

The fact that the open source code bases are used across multiple codebases, development teams, companies and products creates patch management challenges, Forescout pointed out.

The company argues more work is needed to prevent such vulnerabilities being widely accepted and distributed.

“AMNESIA:33 also raises broader questions around due diligence, ethics and a sense of responsibility when it comes to the manufacture and supply of these devices," stated Steve Hunter, senior director, systems engineering – Asia Pacific & Japan, Forescout.

"It’s time for the industry as whole to step in to address these issues and collaborate on a framework or set of standards that will assist with the design and manufacturing of devices to prevent these inherent vulnerabilities being widely accepted and distributed around the globe,” Hunter added.