A new cybersecurity threat has surfaced touching the IoT space. On December 8, 2020, Carnegie Mellon University’s Software Engineering Institute described Amnesia:33 as a vulnerability caused by memory management bugs in multiple open-source embedded TCP/IP stacks. Amnesia:33 is a set of 33 vulnerabilities touching open-source TCP/IP stacks including uIP, FNET, picoTCP and Nut/Net. These open-source stacks are deployed in millions of connected devices. The threat allows hackers to infiltrate devices, execute malicious code, perform denial-of-service attacks and steal data.
Memory management bugs are causing most of the vulnerabilities, generally seen in Real-Time Operating Systems (RTOS) and IoT device lightweight software implementations. Technical details of these vulnerabilities and a video of how hackers can exploit them are available on Forescout.
Telit’s investigations are ongoing, but at the time of publishing, there is no exposure to the threat in any Telit product.