Agency issues cyber security alert; over 100m devices at risk

Singapore's cyber security watchdog has issued an alert following the discovery of vulnerabilities in over 100 million Internet-connected devices globally, ranging from medical equipment to wearable fitness products to critical industrial control systems in the energy and power sectors.

Sounding the alarm yesterday, the Singapore Computer Emergency Response Team (SingCert) at the Cyber Security Agency of Singapore said: "Administrators of the affected stacks are advised to apply the patch immediately."

Security patches have already been rolled out to address the flaws, which allow cybercrooks to gain control of devices and computer systems and take them offline.

Organisations in the healthcare and government sectors are the most affected, said several security researchers. Other sectors affected include entertainment, retail, manufacturing, financial services and technology.

The bugs affect the Domain Name System (DNS). The DNS is like a phonebook that matches domain names, such as those in website URLs, to Internet Protocol (IP) addresses which are strings of numbers that identify devices on the Internet.

Cyber security firm Forescout Research Labs said that the vulnerabilities are collectively called Name:Wreck and affect four popular sets of rules, called stacks, that govern how devices can "talk" to one another over a network like the Internet.

Not all devices running the affected stacks are vulnerable but Forescout conservatively estimated that if 1 per cent of the more than 10 billion deployments are, then at least 100 million devices are at risk.

Potentially affected equipment and devices include:

•Consumer electronic products such as wearable fitness products, smartphones, printers and smart clocks

• Ultrasound machines, defibrillators, patient monitors and critical medical equipment such as for magnetic resonance imaging

• Storage systems, industrial manufacturing robots, and energy and power equipment in industrial control systems

• Unmanned combat aircraft, commercial aircraft, self-driving cars, space exploration rovers and critical systems for avionics

• High-performance servers and network appliances in millions of IT networks.

European countries, Canada, the United States and Japan are believed to be the most affected as they have the largest installations of these equipment.

It is not clear how many devices in Singapore are affected.

Although security patches have been rolled out, Forescout said patching can be difficult in some cases.

For instance, if affected devices are not managed centrally, it means each one has to be manually patched. Some devices also cannot be taken offline for this because of their mission-critical nature, such as medical devices and industrial control systems.

If patching is not available, SingCert advised administrators to enforce segmentation controls and proper network hygiene measures such as restricting external communication paths and isolating vulnerable devices.

They should monitor patches released, monitor all network traffic for malicious data, and configure devices to rely on internal DNS servers.

A version of this article appeared in the print edition of The Straits Times on April 16, 2021, with the headline 'Agency issues cyber security alert; over 100m devices at risk'. Subscribe