SAN JOSE (dpa-AFX) – US security researchers have discovered a series of serious security gaps in networked industrial control systems, medical devices and other networked devices. The security company Forescout announced on Tuesday that organizations and companies around the world are affected by the vulnerabilities that are grouped under the name “Amnesia: 33”. “Amnesia: 33” primarily describes incorrect implementations of the technical Internet protocol TCP / IP in networked devices, especially in industrial environments.
According to Forescout, the errors are in the products of at least 150 suppliers worldwide. Networked cameras, environmental sensors for temperature and humidity, systems for intelligent lighting, smart plugs, barcode scanners, networked special printers, audio systems for retail and internet-connected devices in hospitals are therefore affected. Forescout did not publish any further specific information about the providers concerned or the specific devices in order not to play into the hands of potential attackers. However, the manufacturers were informed of the gaps four months ago.
Forescout discovered a total of 33 new vulnerabilities during its research work on TCP / IP, four of them were “critical”. Attackers could use these to steal data, overload systems or take control of the affected devices. The results of the investigation are reminiscent of the serious security hole “Ripple20”, which rocked the “Internet of Things” last June.
According to its own information, the Federal Office for Information Security (BSI) contacted 31 European companies, 14 of them in Germany. “We were able to help all of the companies that responded to our advice to close the problematic vulnerabilities. Nevertheless, there are a number of companies that have not responded.”
The technical implementation of the Internet protocol, the so-called TCP / IP stack, is considered the most vulnerable part of network devices. A vulnerability in a single networked device can undermine the security of the entire network. Around four years ago, for example, the well-secured finance department of a casino in Las Vegas was hacked by the fact that an aquarium with an Internet connection was also located in the local network of the house. The system used to monitor the feeding of the fish and the condition of the water over the Internet contained a security hole and drilled a hole in the casino’s digital defensive wall.
According to Forescout, building automation systems that control access to a building or serve as fire and smoke alarms are now also at risk. The security gaps were also discovered in networked electricity meters, batteries, heating and air conditioning systems, as well as in certain industrial control systems. Furthermore, network devices such as routers, switches or WLAN hotspots are obviously affected en masse. The Fritzbox from Berlin manufacturer AVM, which is popular in Germany, is reportedly not one of them. Devices that are used in industrial plants are most likely to be affected.
Forescout advised those responsible to install security updates (“patches”) for the networked devices. However, there are a number of manufacturers who do not offer updates and leave the gaping gaps open. In addition, there are scenarios in which the patches cannot be easily applied to business-critical systems during operation. “If so, organizations should conduct a thorough risk assessment of their networks to determine the level of containment required.”
The experts also gave the IT departments a number of technical recommendations to minimize the risk. It is helpful, for example, to block or deactivate network traffic with the new Internet protocol IPv6 when it is not needed in the network. Several vulnerabilities in Amnesia: 33 were related to IPv6 components.
The BSI also pointed out that industrial components in particular must not be directly accessible from the Internet. Networks within companies should be segmented accordingly in order to reduce the attack surface and make it more difficult to spread ./chd/DP/zb
– .