NAME:WRECK – Millions of IoT devices affected by a set of vulnerabilities

According to a recent report from Forescout and JSOF, millions of connected IoT devices suffer from these new security flaws

Researchers from Forescout and JSOF recently published a report disclosing a set of vulnerabilities that compromise an estimate of more than 100 million connected devices, including OT and IoT devices. Among these, medical devices, industrial equipment and other gadgets are affected.

These flaw are related to a set of Domain Name System (DNS) vulnerabilities encountered on four popular TCP/IP stacks and have a disruptive potential, allowing malicious agents to use Denial of Service (DoS) or Remote Code Execution in targeted devices, and to even gain full control over them.

The researchers call this set of vulnerabilities NAME:WRECK. The report includes a comprehensive exploration of the main findings, a detailed study of analysed stacks and new vulnerabilities, and examples of how attackers could take control of devices by leveraging these design flaws. The report also proposes solutions for some operators, reporting indications on how to reduce the attack surface of their devices.

The widespread use of these stacks makes it critical to take immediate action, in order to avoid extensive disruption of critical systems. Talking about the report, professor Sandro Etalle, member of INTERSCT and full professor in the Security Cluster at Eindhoven University of Technology, said in a recent article published by FT about the report:

“NAME: WRECK is a significant and widespread set of vulnerabilities with the potential for large-scale disruption. Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just be a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security.

It is also important that companies affected by the flaws and using these implementations follow a rigorous and thorough evaluation of their system, to understand the issues and assess their exposure to these vulnerabilities. In the same article by FT, one of the main researchers by Forescout involved in the report, Daniel dos Santos, said “If you don’t know what’s inside when there’s a vulnerability, you don’t know whether you are affected”.

You can read the full report published by Forescout on their website:

Written by Cristoffer Leite

Cristoffer Leite is a Researcher PhD student in the Security Group (SEC) at Eindhoven University of Technology, and an IT Researcher Intern at Forescout Technologies.