The discovery highlights the dangers that cybersecurity experts often find in internet-linked appliances designed without much attention to security. Sloppy programming by developers is the main issue in this case, Rashid said.
Addressing the problems, estimated to afflict millions of devices, is particularly complicated because they reside in so-called open source software, code freely distributed for use and further modification. In this case, the issue involves fundamental internet software that manages communications via a technology called TCP/IP.
Fixing the vulnerabilities in impacted devices is particularly complicated because open-source software isn’t owned by anyone, said Elisa Costante, Forescout’s vice president of research. Such code is often maintained by volunteers. Some of the vulnerable TCP/IP code is two decade sold; some of it is no longer supported, Costante added.
It is up to the device manufacturers themselves to patch the flaws and some may not bother given the time and expense required, she said. Some of the compromised code is embedded in a component from a supplier — and if no one documented that, no one may even know it’s there.
“The biggest challenge comes in finding out what you’ve got,” Rashid said.
If unfixed, the vulnerabilities could leave corporate networks open to crippling denial-of-service attacks, ransomware delivery or malware that hijacks devices and enlists them in zombie bot nets, the researchers said. With so many people working from home during the pandemic, home networks could be compromised and used as channels into corporate networks through remote-access connections.