AMNESIA:33 – A commentary from the research labs

Foresscout announced the discovery of a whole series of vulnerabilities found in TCP/IP stacks commonly used in IoT-devices. Franz Härtl has tried to find out what’s behind all that noise and asked Wicus Ross and Peter Holvoet from the Orange Cyberdefense Research Labs.

Franz: Hello Wicus and Peter. We heard a lot about AMNESIA:33 this morning and are all very curious about what details will be disclosed at Black Hat EU 2020 tomorrow. Could you tell me, in a nutshell, what this is about?

Peter: Cheap vendors commonly use opensource TCP/IP stacks with apps on top without security in mind. These stacks have now been found to include various vulnerabilities. With this everything can happen.That is a general problem and of course there are a lot of IoT devices with bad coding and without security in mind.

Franz: I see. So the problem is that the communication protocols, which allow devices and their apps to communicate to the internet, are badly implemented?

Peter: It’s all about coding on top of a TCP/IP stack. If this is done in a bad way and on top of a light OS that cannot be patched, then your complete network is in danger if the device is connected to your network and also attached to the outside world…

Franz: So an unpatchable IoT device could serve as a bridge or possible backdoor into an otherwise secure network, right?

Wicus: Potentially. The bigger problem here might be home networks. Enterprises can mitigate or replace devices that are out of support – home users are generally oblivious.

Peter: It would not be the first time that hackers enter a corporate network via an IoT device. No matter what it is, a thermostat accessible from the Internet … remember the Aquarium in the casino?

Wicus: Speaking to your point on the thermostat the Forescout blog post states: “The largest category is IoT devices, both enterprise and consumer, which includes devices such as cameras, environmental sensors (e.g., temperature, humidity), smart lights, smart plugs, barcode readers, specialized printers, and audio systems for retail. IoT is followed by OT equipment for Building Automation Systems, which includes devices such as physical access controls, fire and smoke alarms, energy meters, and HVAC systems. Then we have OT equipment for Industrial Control Systems, which includes devices such as RTUs, protocol gateways and serial-to-Ethernet gateways. Lastly is IT, which includes devices such as printers, switches and wireless access points.”

Peter: Correct, due to the vast majority of IoT devices from all manufacturers, the chance of vulnerabilities is much higher. Most of the companies don’t understand the difference between OT and IoT unfortunately. I have to explain that over and over again. They all mention it in one breath …. it is not because IoT devices are connected in the OT network that it is the same, it is a completely different platform and IP based!

Franz: Why are these systems so hard or even impossible to patch?

Wicus: The manufacturers have probably put an end of life on some of the devices. In one case a System-on-a-chip-provider has gone out of business and the TCP/IP stacks were linked to it – Source: Wired (

Peter: These are very small devices with a light OS and no agent and sold for peanuts.

Wicus: Yeah, most of the time it’s manual patching if patching is possible at all.

Peter: Patching for those devices means mostly put a new stack on top of it from OSI layer 0 to 7. Patching means that you have to put another application on top of it or close the security gaps in the application. Often there is no space to do so, so the complete stack needs to be replaced.

Franz: So no way to just “fix the issue”. The whole implementation has to be done from scratch basically?

Peter: IoT and OSI layers and security, yes. Because the device is so small and there is no space to fix the “app”. So there will indeed be a lot of IoT devices vulnerable, that will never be patched. Why do you think that there are so many IP cams that you can watch free in your browser? Some are even placed in shops and doctor’s waiting rooms. That’s not only because the default username and password have never been changed. Good practice security features like multi-factor authentication are not even possible on those devices.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.