What You Need to Know about Amnesia:33

A new cybersecurity threat has surfaced touching the IoT space. On December 8, 2020, Carnegie Mellon University’s Software Engineering Institute described Amnesia:33 as a vulnerability caused by memory management bugs in multiple open-source embedded TCP/IP stacks. Amnesia:33 is a set of 33 vulnerabilities touching open-source TCP/IP stacks including uIP, FNET, picoTCP and Nut/Net. These open-source stacks are deployed in millions of connected devices. The threat allows hackers to infiltrate devices, execute malicious code, perform denial-of-service attacks and steal data.

• uIP
• Contiki-OS and Contiki-NG
• PicoTCP and PicoTCP-NG
• FNET
• Nut/OS

Memory management bugs are causing most of the vulnerabilities, generally seen in Real-Time Operating Systems (RTOS) and IoT device lightweight software implementations. Technical details of these vulnerabilities and a video of how hackers can exploit them are available on Forescout.

Telit’s investigations are ongoing, but at the time of publishing, there is no exposure to the threat in any Telit product.

We’ll be monitoring the situation as it develops. Please see below for updates.

For any other details, please contact the Telit Security Team here by selecting “Security Questions.”

May 2021 Update

Telit completed the investigation, and there is no exposure to the threat in any Telit product.