Name:Wreck Bugs Could Impact 100M IoT Devices

Security experts have discovered a new set of DNS vulnerabilities which could impact over 100 million IoT devices used by consumers and enterprises.

Forescout teamed up with Israeli consultancy JSOF to uncover nine vulnerabilities they have labelled Name:Wreck.

They affect popular IT software FreeBSD and IoT/OT firmware IPnet, Nucleus NET and NetX. Forescout claimed that, although not all devices running the software are vulnerable, even if just 1% were, that could impact as many as 100 million globally.

In the UK alone it is estimated that around 36,000 could be affected.

The bugs themselves enable either remote code execution or denial of service, with sectors including government, enterprise, healthcare, manufacturing and retail at risk.

Plausible but hypothetical scenarios include attackers exploiting the flaws to extort payments from victim organizations by sabotaging critical functions in manufacturing plants, hospitals, hotels and retail facilities.

Threat actors could also monetize attacks by using exploits to access enterprise and government networks, with an eye on data theft.

The report urged organizations running vulnerable devices to limit their network exposure via segmentation, and to rely more on internal DNS servers.

It also recommended patching, although this can be a challenge for IoT/OT devices running on mission critical systems that can’t be taken offline, or which rely on legacy applications.

Forescout Research Labs research manager, Daniel dos Santos, warned that the Name:Wreck bugs have the potential to cause significant and widespread disruption.

“Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or [compromise of] hotel guest safety and security,” he added.

Patches are now available for FreeBSD, Nucleus NET, and NetX.

What’s Hot on Infosecurity Magazine?