A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices[1] highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout Research Labs and JSOF Research Labs have jointly published a report detailing a security vulnerability known as “NAME:WRECK.” This is exactly the type of issue that the new IoT Act was and is designed to address at the governmental level, because the vulnerability can detrimentally affect the security of millions of interconnected IoT devices. As our recent blog “New Internet of Things (IoT) Cybersecurity Law’s Far Reaching Impacts” discussed, this is the type of cybersecurity risk that all organizations should consider and factor in to their supply chain risk assessments and mitigation measures. If your organization directly uses IoT devices, or contracts with vendors who supply IoT devices or software/systems using IoT devices, whether in the healthcare, manufacturing, retail, financial services, hospitality or employment context, you should be evaluating your cybersecurity programs for protecting IoT devices.

The “NAME:WRECK” vulnerability was discovered as part of Forescout’s and JSOF’s efforts to understand underlying problems related to the Domain Name System (DNS). The DNS is responsible for routing internet traffic and as such is a critical element of infrastructure. Referred to as the “phonebook of the internet,” the DNS is a decentralized system and protocol that allows devices to access the internet using domain names (such as “google.com”). It has the potential to be exploited by malicious parties because of its open and distributed nature. Communications between devices on the Internet could not reach their intended destination without DNS.

The “NAME:WRECK” vulnerability effects software and firmware that implements the DNS, including software that uses DNS protocols that “parse” or “compress” domain names. As the researchers explain, “WRECK” gets its name because of “how the parsing of domain names can break—‘wreck’—DNS implementations[.]” An attacker leveraging this vulnerability can gain remote control of an IoT device to inject malicious code on a target and achieve Denial of Service or Remote Code Execution, thereby allowing the exfiltration of information and other attacks. As with other DNS-based vulnerabilities, the attacker may exploit “WRECK” using a man-in-the-middle attack, or other methods, as covered in our Lawline webinar “Protecting Your Domain Name System (DNS) Security To Avoid Data Loss & Insider Threat”, and our blog, “Harden Your Organization’s Domain Name System (DNS) Security to Protect Against Damaging Data Loss and Insider Threat.”

The implications of “NAME:WRECK” are significant. In their report, Forescout and JSOF identified popular software components affected by the vulnerability: FreeBSD, IPNet, NetX and Nucleus Net, which led the Cybersecurity & Infrastructure Security Agency (CISA) to issue an alert. Nucleus NET is used in over 3 billion devices including, defibrillators, ultrasound machines, avionics navigation, and MediaTek IoT chipsets and baseband processors used in smartphones and other wireless devices. The researchers found that not all devices running the above software are vulnerable; however, they conservatively estimate that over 100 million devices are at risk. The researchers noted that FreeBSD is widely used in high-performance servers in millions of IT networks. Indeed, the researchers warned, “exploitation of NAME:WRECK also will work to detect exploitation on other TCP/IP stacks and protocols that we could not yet analyze.”

The cybersecurity of IoT devices presents particular challenges because it is difficult to inventory all of the software/firmware running on the devices and to patch when vulnerabilities occur. Moreover, depending on the device, patches may need to be manually applied by the user, if the device is not centrally managed. Patching IoT devices becomes even more difficult where the IoT device, such as a medical device or industrial control system, cannot be easily taken offline due to its mission-critical nature. Among other things, the IoT Act addresses these patching difficulties and processes with respect to the acquisition and use by the federal government of IoT devices capable of connecting to the Internet.

Organizations that have devices that are susceptible to the “NAME:WRECK” vulnerability should conduct a risk assessment and take risk reduction measures, if vulnerabilities are identified, particularly if they are government contractors or subject to regulatory standards to protect sensitive information. Forescout and JSOF have identified mitigation recommendations in their report that including identifying vulnerable devices and updating the software. Recommended risk reduction measures include segmenting networks to reduce the risk of vulnerable IoT devices, implementing “a remediation plan for your vulnerable asset inventory balancing business risk and business continuity requirements” and monitoring external DNS traffic.

From the perspective of any purchaser or user of IoT devices, the recent “NAME:WRECK” report highlights supply chain risk and the unavoidable reality that vulnerabilities will continue to be exploited by wrong-doers. Organizations subject to regulatory standards to protect personal, health and other sensitive information (e.g., Gramm-Leach Bliley, HIPAA, NY SHIELD Act, California Civil Code §1781.5, Massachusetts data protection regulation, Illinois Personal Information Protection Act and Biometric Information Protection Act) are already required to use reasonable safeguards to protect IoT devices that may affect the security of protected information. The IoT Act mandates future systemic improvements for the acquisition and use of IoT devices in information systems owned or controlled by the federal government. The IoT Act and these regulatory requirements, and the “NAME:WRECK” vulnerability highlight how in our interconnected world legal standards and technology increasingly intersect. It is therefore critical that organizations plan for the cybersecurity of their IoT devices and systems in their information security and compliance programs and take reasonable steps to ensure that IoT vulnerabilities are addressed in a timely manner consistent with risk.

EBG works closely, under attorney-client privilege, with organizations to conduct risk assessments and develop information security programs, manage supply chain risk and identify recognized security practices that may bolster practical security and improve compliance defensibility. Any questions may be directed to the authors or another member of EBG’s Privacy, Cybersecurity, and Data Asset Management GroupBrian G. Cesaratto is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Alexander Franchilli is an Associate in the Employment, Labor & Workforce Management and Litigation practices, in the New York office of Epstein Becker Green.

[1] IoT devices “have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood, and can function on their own and are not only able to function when acting as a component of another device, such as a processor.” The wide range of IoT devices that connect to the Internet include security cameras and systems, geolocation trackers, smart appliances (e.g., tvs, refrigerators), fitness trackers and wearables, medical device sensors, driverless cars, industrial and home thermostats, biometric devices, manufacturing and industrial sensors, farming sensors and other smart devices.

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.