波士顿——一家网络安全公司的研究人员表示,他们已经发现了数百万联网设备广泛使用的软件中的漏洞——黑客可以利用这些漏洞渗透到商业和家庭计算机网络并破坏它们。
没有证据表明任何入侵利用了这些漏洞。但它们在互联网连接设备核心的数据通信软件中的存在,促使美国网络安全和基础设施安全局在一份公告中指出了这一问题。
网络安全公司Forescout Technologies在周二发布的一份报告中表示,估计有150家制造商的潜在受影响设备,从网络温度计到“智能”插头和打印机,到办公室路由器和医疗器械,再到工业控制系统的组件。报道称,受影响最大的是消费者设备,包括遥控温度传感器和摄像头。
英国布里斯托尔大学的计算机科学家阿瓦伊斯·拉希德(Awais Rashid)回顾了福雷斯考特的研究结果,他说,在最坏的情况下,驱动水、电力和自动化建筑管理等“社会关键服务”的控制系统可能会瘫痪。
在其建议中,CISA建议用户采取防御措施,以最大限度地降低黑客攻击的风险。特别是,它建议切断工业控制系统与互联网的连接,并与企业网络隔离。
这一发现凸显了网络安全专家经常在设计时没有过多关注安全性的联网设备中发现的危险。拉希德说,开发人员草率的编程是这种情况下的主要问题。
这些问题可能会困扰数百万受影响的设备,解决这些问题尤其复杂,因为它们存在于所谓的开源软件中,代码可以自由分发以供使用和进一步修改。在这种情况下,问题涉及基础互联网软件,该软件通过一种称为TCP/IP的技术管理互联网设备之间的通信。
Forescout研究副总裁Elisa Costante说,修复受影响设备中的漏洞尤其复杂,因为开源软件不属于任何人。这种代码通常由志愿者维护。一些易受攻击的TCP/IP代码已经有二十年的历史了;科斯塔特补充说,其中一些不再得到支持。
她说,修补缺陷是设备制造商自己的事情,考虑到所需的时间和费用,有些制造商可能不会费心。一些受损的代码嵌入到供应商的组件中——如果没有人记录下来,甚至没有人知道它在那里。
拉希德说:“最大的挑战在于发现你拥有什么。”。
研究人员说,如果不加以修复,这些漏洞可能会使企业网络面临严重的拒绝服务攻击、勒索软件交付或恶意软件,这些恶意软件劫持设备并将其纳入僵尸僵尸僵尸网络。在大流行期间,由于许多人在家工作,家庭网络可能会受到损害,并被用作通过远程访问连接进入公司网络的渠道。
Forescout向尽可能多的供应商通报了这些漏洞,并称之为“失忆:33”。科斯塔特说,但不可能识别所有受影响的设备。她说,该公司还向美国、德国和日本的计算机安全部门发出了警报。
该公司发现了其称之为有史以来最大的对TCP/IP软件安全性的研究中的漏洞,这是一项为期一年的工作,它称之为项目记忆。
BOSTON -- Researchers at a cybersecurity firm say they have identified vulnerabilities in software widely used by millions of connected devices — flaws that could be exploited by hackers to penetrate business and home computer networks and disrupt them.
There is no evidence of any intrusions that made use of these vulnerabilities. But their existence in data-communications software central to internet-connected devices prompted the U.S. Cybersecurity and Infrastructure Security Agency to flag the issue in a bulletin.
Potentially affected devices from an estimated 150 manufacturers range from networked thermometers to “smart” plugs and printers to office routers and healthcare appliances to components of industrial control systems, the cybersecurity firm Forescout Technologies said in a report released Tuesday. Most affected are consumer devices including remote-controlled temperature sensors and cameras, it said.
In the worst case, control systems that drive "critical services to society" such as water, power and automated building management could be crippled, said Awais Rashid, a computer scientist at Bristol University in Britain who reviewed the Forescout findings.
In its advisory, CISA recommended that users take defensive measures to minimize the risk of hacking. In particular, it suggested cutting off industrial control systems from the internet and isolated from corporate networks.
The discovery highlights the dangers that cybersecurity experts often find in internet-linked appliances designed without much attention to security. Sloppy programming by developers is the main issue in this case, Rashid said.
Fixing the problems, which could afflict millions of impacted devices, is particularly complicated because they reside in so-called open-source software, code freely distributed for use and further modification. In this case, the issue involves fundamental internet software that manages communication between internet devices via a technology called TCP/IP.
Fixing the vulnerabilities in impacted devices is particularly complicated because open-source software isn't owned by anyone, said Elisa Costante, Forescout’s vice president of research. Such code is often maintained by volunteers. Some of the vulnerable TCP/IP code is two decades old; some of it is no longer supported, Costante added.
It is up to the device manufacturers themselves to patch the flaws and some may not bother given the time and expense required, she said. Some of the compromised code is embedded in a component from a supplier — and if no one documented that, no one may even know it's there.
“The biggest challenge comes in finding out what you’ve got,” Rashid said.
If unfixed, the vulnerabilities could leave corporate networks open to crippling denial-of-service attacks, ransomware delivery or malware that hijacks devices and enlists them in zombie botnets, the researchers said. With so many people working from home during the pandemic, home networks could be compromised and used as channels into corporate networks through remote-access connections.
Forescout notified as many vendors as it could about the vulnerabilities, which it dubbed AMNESIA:33. But it was impossible to identify all affected devices, Costante said. The company also alerted U.S., German and Japanese computer security authorities, she said.
The company discovered the vulnerabilities in what it called the largest study ever on the security of TCP/IP software, a year-long effort it called Project Memoria.
