Security News > 2021 > April > IoT bug report claims “at least 100M devices” may be impacted

IoT bug report claims “at least 100M devices” may be impacted
2021-04-13 18:57

Even the most limited and self-contained test networks quickly end up crying out for DNS, and if ever you want to hook up your device or devices to the internet, you can consider DNS support a must.

That's why any TCP/IP device, no matter how tiny and resource-constrained it might be, and any operating system, no matter how much it might have been miniaturised, includes code for what's known as DNS resolution or DNS lookup.

The NAME:WRECK report isn't just one bug or one vulnerability, and all of them date back to last year except for one.

One bug involved a loop limit bug, where the code added no bytes to a text string, decided that the string wasn't full yet, and went back for more, vainly adding zero bytes over and over again for ever and ever, in the hope that the string would eventually get longer.

The last bug involved poor randomness, where one-time random numbers added as transaction identifiers into DNS replies were not random enough.

As a result, attackers could create fake DNS replies that would pass muster and perform DNS poisoning on the local device's stored list of known DNS replies.


News URL

https://nakedsecurity.sophos.com/2021/04/13/iot-bug-report-claims-at-least-100m-devices-may-be-impacted/