How Embedded TCP/IP Stacks Breed Critical Vulnerabilities

The presentation discusses the vulnerabilities in TCP/IP stacks in IoT devices and the challenges in identifying and patching them.

• Vulnerable code spreads widely in open source projects, leading to code fragmentation and difficulty in patching.
• Identifying and patching vulnerable devices is complicated due to the complex supply chains and the highly device-specific exploitability.
• Specific recommendations are given to mitigate the issues, such as disabling or blocking IPv6 traffic, relying on internal DNS servers, monitoring the network for anomalous packets, and segmenting the network.
• The presentation also highlights the vulnerabilities resulting from protocol complexity and external dependencies in multiple stacks, including popular closed-source stacks used in critical devices.
• The current disclosure process is challenging and needs to be scaled to the IoT supply chain.
• Further research is being conducted to identify and disclose vulnerabilities in other stacks and to provide more recommendations for mitigation.

The presentation gives an example of the vulnerabilities in the Micro IP stack, which is used by operating systems such as Contiki and attacks and other projects such as OpenICE Cozy and some D-Link firmware. Different versions of the stack are vulnerable in different ways, and the fixes are being done differently. Despite efforts to disclose these vulnerabilities to coordinating agencies, no official patches were produced for some of the original projects, leading to vendors implementing their own patches and causing more code fragmentation.

In the past few years, there's been a rise in critical vulnerabilities affecting embedded TCP/IP stacks which had remained undiscovered for over a decade. The direct, unauthenticated and sometimes cross-perimeter network exposure of these stacks, the often privileged portions of the system they run in and their position at the top of opaque supply chains complicating vulnerability management efforts make for a highly dangerous mix resulting in periodic waves of critical vulnerabilities affecting billions of devices across industry verticals. But contrary to what many assume, the fragility of these fundamental components isn't limited to specific vendors or older, closed-source stacks alone.In this talk, we will present over a dozen new vulnerabilities in multiple widely used embedded TCP/IP stacks deployed in everything from networking equipment and medical devices to industrial control systems. We will discuss the nuances in their exploitability & potential impact and demonstrate a proof-of-concept against a yet-to-be-disclosed high profile target. In addition, we will present the first quantitative & qualitative study into vulnerabilities affecting embedded TCP/IP stacks showing a clear pattern to the affected components & features as well as the root causes of the vulnerabilities that affect them. Finally, we will provide concrete advice on how to mitigate and manage vulnerabilities affecting billions of devices in the absence of centralized patching and notification efforts.