Millions Of IoT Devices Were Vulnerable To These Number:Jack TCP/IP Stack Attacks
Today, Forescout published a research article detailing what they have called "NUMBER:JACK," a collection of nine vulnerabilities affecting TCP/IP stacks. In short, to make sure every TCP connection is unique and cannot be interfered with, a random number is generated, called an Initial Sequence Number (ISN). If a TCP connection uses improperly generated ISNs, an attacker could "hijack an ongoing connection or spoof a new one."
Forescout continues to drive original research around vulnerabilities in TCP/IP stacks with the announcement of NUMBER:JACK, a set of nine ISN generation vulnerabilities. #NUMBERJACK https://t.co/P4RxXw3eqT pic.twitter.com/eBiJ8m46NY— Forescout (@Forescout) February 10, 2021
Most concerning of all this is that this sort of attack has been seen before in the 90s, with things such as the Mitnick attack. Effectively, history is repeating, and dos Santos further explained that "This provides proof that people should be looking at what has happened before and how that affects their operations – all down the IoT supply chain."
At the end of the day, one would think that security would improve as companies take in the past lessons learned, but that is not always the case. IoT is the new hot thing, and people are eager to get products to market, whether or not the said product is secure or designed properly. Ultimately, though the 90s seem like an ancient time in terms of technology, the echoes of the past still haunt us and should remain a reminder for the future.