Microsoft Security Response Center says vulnerabilities discovered affect at least 25 IoT products from a dozen organizations, including Amazon, ARM, Google Cloud, Samsung, RedHat, and Apache.
Microsoft researchers say operating systems for multiple commercial, medical, and operational technology Internet of Things devices due to memory allocation and remote code execution vulnerabilities.
According to the IoT security team at the Microsoft Security Response Center, as of now, researchers haven’t found exploits targeting the vulnerabilities in the wild, but still the flaws present a big risk:
“Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds,” Microsoft researchers wrote.
According to the Agency, 17 affected products have already patches available. The remaining products have updates planned or won’t be patched because they are no longer supported by the vendor. Here is a list of impacted products and released patches.
For products that don’t have patches available, Microsoft advises implementing network segmentation, using VPNs with multifactor authentication, and monitoring networks for signs of malicious activity.
Security issues are common in connected devices. Billions of IoT devices remain vulnerable due to the lack of universal security standards for manufacturers. As a result, many IoT products end up being shipped fast in pursuit of bigger profits.
“The issue is that smaller, faster, cheaper is not very compatible with secure,” said Keith Gremban, a program manager within the Department of Defense, in an interview with SC Media. “Picture a start-up trying to get a product out the door. They’ve got a [venture capital firm] looking over their shoulder, anxious for return on investment, they’ve got the competition breathing down their necks. Are they going to delay product release by six months to make the product secure? Will the VC let them do that?”
IoT devices are also notoriously difficult to track. An organization may have a few “lost” connected devices from employees or past projects on their network that will slip through the cracks and remain unpatched thus leaving a back door for potential hackers. Jeremy Brown, Trinity Cyber’s vice president of threat analysis, said there’s a lot of potential profit in the future for companies that can come up with a solution to detect and locate such devices to turn them off or patch them properly.