A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout Research Labs and JSOF Research Labs have jointly published a report detailing a security vulnerability known as “NAME:WRECK.” This is exactly the type of issue that the new IoT Act was and is designed to address at the governmental level, because the vulnerability can detrimentally affect the security of millions of interconnected IoT devices. As our recent blog “New Internet of Things (IoT) Cybersecurity Law’s Far Reaching Impacts” discussed, this is the type of cybersecurity risk that all organizations should consider and factor in to their supply chain risk assessments and mitigation measures. If your organization directly uses IoT devices, or contracts with vendors who supply IoT devices or software/systems using IoT devices, whether in the healthcare, manufacturing, retail, financial services, hospitality or employment context, you should be evaluating your cybersecurity programs for protecting IoT devices.
The “NAME:WRECK” vulnerability was discovered as part of Forescout’s and JSOF’s efforts to understand underlying problems related to the Domain Name System (DNS). The DNS is responsible for routing internet traffic and as such is a critical element of infrastructure. Referred to as the “phonebook of the internet,” the DNS is a decentralized system and protocol that allows devices to access the internet using domain names (such as “google.com”). It has the potential to be exploited by malicious parties because of its open and distributed nature. Communications between devices on the Internet could not reach their intended destination without DNS.
The “NAME:WRECK” vulnerability effects software and firmware that implements the DNS, including software that uses DNS protocols that “parse” or “compress” domain names. As the researchers explain, “WRECK” gets its name because of “how the parsing of domain names can break—‘wreck’—DNS implementations[.]” An attacker leveraging this vulnerability can gain remote control of an IoT device to inject malicious code on a target and achieve Denial of Service or Remote Code Execution, thereby allowing the exfiltration of information and other attacks. As with other DNS-based vulnerabilities, the attacker may exploit “WRECK” using a man-in-the-middle attack, or other methods, as covered in our Lawline webinar “Protecting Your Domain Name System (DNS) Security To Avoid Data Loss & Insider Threat”, and our blog, “Harden Your Organization’s Domain Name System (DNS) Security to Protect Against Damaging Data Loss and Insider Threat.”
The implications of “NAME:WRECK” are significant. In their report, Forescout and JSOF identified popular software components affected by the vulnerability: FreeBSD, IPNet, NetX and Nucleus Net, which led the Cybersecurity & Infrastructure Security Agency (CISA) to issue an alert. Nucleus NET is used in over 3 billion devices including, defibrillators, ultrasound machines, avionics navigation, and MediaTek IoT chipsets and baseband processors used in smartphones and other wireless devices. The researchers found that not all devices running the above software are vulnerable; however, they conservatively estimate that over 100 million devices are at risk. The researchers noted that FreeBSD is widely used in high-performance servers in millions of IT networks. Indeed, the researchers warned, “exploitation of NAME:WRECK also will work to detect exploitation on other TCP/IP stacks and protocols that we could not yet analyze.”
The cybersecurity of IoT devices presents particular challenges because it is difficult to inventory all of the software/firmware running on the devices and to patch when vulnerabilities occur. Moreover, depending on the device, patches may need to be manually applied by the user, if the device is not centrally managed. Patching IoT devices becomes even more difficult where the IoT device, such as a medical device or industrial control system, cannot be easily taken offline due to its mission-critical nature. Among other things, the IoT Act addresses these patching difficulties and processes with respect to the acquisition and use by the federal government of IoT devices capable of connecting to the Internet.
Organizations that have devices that are susceptible to the “NAME:WRECK” vulnerability should conduct a risk assessment and take risk reduction measures, if vulnerabilities are identified, particularly if they are government contractors or subject to regulatory standards to protect sensitive information. Forescout and JSOF have identified mitigation recommendations in their report that including identifying vulnerable devices and updating the software. Recommended risk reduction measures include segmenting networks to reduce the risk of vulnerable IoT devices, implementing “a remediation plan for your vulnerable asset inventory balancing business risk and business continuity requirements” and monitoring external DNS traffic.
From the perspective of any purchaser or user of IoT devices, the recent “NAME:WRECK” report highlights supply chain risk and the unavoidable reality that vulnerabilities will continue to be exploited by wrong-doers. Organizations subject to regulatory standards to protect personal, health and other sensitive information (e.g., Gramm-Leach Bliley, HIPAA, NY SHIELD Act, California Civil Code §1781.5, Massachusetts data protection regulation, Illinois Personal Information Protection Act and Biometric Information Protection Act) are already required to use reasonable safeguards to protect IoT devices that may affect the security of protected information. The IoT Act mandates future systemic improvements for the acquisition and use of IoT devices in information systems owned or controlled by the federal government. The IoT Act and these regulatory requirements, and the “NAME:WRECK” vulnerability highlight how in our interconnected world legal standards and technology increasingly intersect. It is therefore critical that organizations plan for the cybersecurity of their IoT devices and systems in their information security and compliance programs and take reasonable steps to ensure that IoT vulnerabilities are addressed in a timely manner consistent with risk.
EBG works closely, under attorney-client privilege, with organizations to conduct risk assessments and develop information security programs, manage supply chain risk and identify recognized security practices that may bolster practical security and improve compliance defensibility. Any questions may be directed to the authors or another member of EBG’s Privacy, Cybersecurity, and Data Asset Management Group. Brian G. Cesaratto is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Alexander Franchilli is an Associate in the Employment, Labor & Workforce Management and Litigation practices, in the New York office of Epstein Becker Green.
 IoT devices “have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood, and can function on their own and are not only able to function when acting as a component of another device, such as a processor.” The wide range of IoT devices that connect to the Internet include security cameras and systems, geolocation trackers, smart appliances (e.g., tvs, refrigerators), fitness trackers and wearables, medical device sensors, driverless cars, industrial and home thermostats, biometric devices, manufacturing and industrial sensors, farming sensors and other smart devices.