Over 100m Internet-connected devices at risk, S'pore's CSA urges firms to patch systems

Security patches have already been rolled out to address the vulnerabilities.
Security patches have already been rolled out to address the vulnerabilities.ST PHOTO: KELVIN CHNG

SINGAPORE - Singapore's cyber security watchdog has issued an alert following the discovery of vulnerabilities in more than 100 million Internet-connected devices globally, ranging from medical equipment and wearable fitness products to critical industrial control systems in the energy and power sectors.

Sounding the alarm on Thursday (April 15), the Cyber Security Agency of Singapore's Singapore Computer Emergency Response Team (SingCert) said: "Administrators of the affected stacks are advised to apply the patch immediately."

Security patches have already been rolled out to address the vulnerabilities, which allow cyber crooks to gain control of devices and computer systems and take them offline.

Organisations in the healthcare and government sectors are the most affected, said security researchers. Other sectors implicated include entertainment, retail, manufacturing, financial services and technology.

The bugs affect the Domain Name System (DNS). The DNS is like a phonebook that matches domain names, such as those in website URLs, to Internet Protocol (IP) addresses which are strings of numbers that identify devices on the Internet.

Cyber-security firm Forescout Research Labs said that the vulnerabilities are collectively called Name:Wreck and affect four popular sets of rules, called stacks, that govern how devices can "talk" to each other over a network such as the Internet.

Forescout said not all devices running the affected stacks are vulnerable but it conservatively estimated that if 1 per cent of the more than 10 billion deployments are, then at least 100 million devices are at risk.

Potentially affected equipment and devices include:

- Consumer electronic products such as wearable fitness products, smartphones, printers and smart clocks

- Ultrasound machines, defibrillators, patient monitors and critical medical equipment such as for magnetic resonance imaging

- Storage systems, industrial manufacturing robots, and energy and power equipment in industrial control systems

- Unmanned combat aircraft, commercial aircraft, self-driving cars, space exploration rovers and critical systems for avionics

- High-performance servers and network appliances in millions of IT networks

European countries, Canada, the United States and Japan are believed to be the most affected as they have the largest installations of these equipment.

It is not clear how many devices in Singapore are affected.

Forescout told Computer Weekly that “Name:Wreck is a significant and widespread set of vulnerabilities with the potential for large-scale disruption”.

It added: “Unless urgent action is taken to adequately protect networks and the devices connected to them, it could be just a matter of time until these vulnerabilities are exploited, potentially resulting in major government data hacks, manufacturer disruption or hotel guest safety and security”.

The security firm said one way a cyber criminal could exploit Name:Wreck is to compromise ultrasound machines that connect to a website to get firmware updates.

The crook could use the Name:Wreck bug to redirect the ultrasound machines to his site to instead download fake firmware he made that is malicious.

The infected ultrasound machines could then be instructed by the malware to upload all medical records to the crook.

"Complete protection against Name:Wreck requires patching devices running the vulnerable versions of the... stacks," Forescout told Computer Weekly.

Although security patches have been rolled out, Forescout said patching can be difficult in some cases.

For instance, if affected devices are not managed centrally, it means each one has to be manually patched. Some devices also cannot be taken offline for this because of their mission-critical nature, such as medical devices and industrial control systems.

If patching is not available, SingCert advised administrators to enforce segmentation controls and proper network hygiene measures such as restricting external communication paths and isolating vulnerable devices.

They should monitor patches released, monitor all network traffic for malicious data, and configure devices to rely on internal DNS servers.

Organisations can find out if they are vulnerable by referring to resources Forescout provided at this site and also this other site.