Hundreds of Millions of Devices Exposed by New Flaws
Threatpost reports 19 newly discovered vulnerabilities affect the supply chain of hundreds of millions of devices. Some of these vulnerabilities are Remove Code Execution (RCE) flaws, which allow an attacker to run commands on the devices from the network or Internet. Successful compromise of these devices can lead to attacks and data exfiltration from the rest of the network.
This discovery highlights fundamental problems with technology development and manufacturing generally, problems many in the security industry have been trying to raise awareness of for many years. Without a Security First approach to every phase of design, manufacturing, and indeed, business decision making, issues like this are going to continue to plague the entire technology sector (and thus, global economies), only worsening as time goes on.
Whether or not you have specifically affected devices on your network, as a business decision maker there are fundamental architectural planning decisions you can make that can minimise or even eliminate the impact of such threats on your organisation. For example, RCE flaws can’t be exploited if the devices are isolated (ie can’t be communicated with in the first place). Here’s a summary of a few key considerations for your systems.
- Network Segmentation – devices should be classified into groups (eg corporate LAN, network management, security cameras, printers, IoT, mobile devices, guest devices, etc) and each classification should have its own network segment (vLAN). Devices are separated by vLAN and thus are excluded from communications on all other network segments, making network traversal extremely difficult to impossible. This also reduces their risk of attack and takeover from compromised user devices.
- Local Network Isolation – this isn’t possible for IoT devices that are cloud managed, however for devices like printers they can be configured so they can’t connect to the Internet gateway. This requires manual intervention to allow the devices to reconnect to the Internet to perform necessary updates, but it does dramatically reduce their attack surface, as they are invulnerable to attacks exploiting their standard Internet communication behaviour. Devices can also be blocked from external communication using edge Firewalls.
- DHCP Snooping – Your network switches should support technologies such as DHCP Snooping, which includes a whitelist of authorised DHCP servers and prohibits any other device from serving DHCP traffic on the network. DHCP takeover involves a device reconfiguring other networked devices with settings that cause them to communicate with hostile servers, but even non-malicious DHCP poisoning can cause your entire network to collapse (when an unauthorised DHCP server is connected to the network, such as an employee connecting their own device to the network without seeking authorisation). DHCP Snooping can eliminate these vulnerabilities entirely, so their inclusion in your network should be considered mandatory.
Obviously Patch Management plans should be in place to monitor firmware releases for all network connected devices and proactively update them. However, many devices aren’t patched by the manufacturer beyond their EoL date, effectively orphaning them. It is common for organisations to have unsupported, unpatchable devices connected to their networks – in some cases they should be replaced with more robust, secure, and better supported alternatives, but in others the device may be useful or even critical and there may not be a cost effective replacement. If the business network is proactively protected from potential vulnerabilities, the risk of having any device connected to it is dramatically reduced, and this is achieved by treating everything as though it’s untrustworthy. Explicitly limit network communications of devices to that which they require to operate, and nothing more. Ask whether specific devices require access to the Internet for their fundamental operation, and if not, prohibit it. And build your network from the ground up with devices that can monitor, investigate, and protect it from malicious traffic before it can poison your network and bring your organisation crashing to its knees.
We know technology is absolutely riddled with security vulnerabilities – there’s no such thing as invulnerable technology. As decision makers, we need to design for this, treating every single device as a possible vulnerability and reducing its potential for harm. At some point that may be the difference between success and collapse. I can guarantee it will be a competitive advantage.