AT 1800 HOURS on a Thursday night I received a call from an unknown number, just as I had finally started to get control of a massive pile of contractual work.
The man at the other end spoke in a commanding tone, and identified himself as an employee of the Cybersecurity & Infrastructure Security Agency (CISA), a part of the Department of Homeland Security (A fact unmistakably articulated in the call).
The reason for the call was the discovery of a security vulnerability in the open-source µIP library, and the agency had deduced that this likely affected the Yanzi solution. We would be contacted again with more information. Goodbye. [1]
µIP is a small TCP/IP stack implementation developed by researchers at SICS and used by the Contiki IoT and Contiki NG operating systems. Being able to implement a full stack in a miniscule amount of memory (< 16kb) the operating system and stack has been an obvious choice for cheap and low power IP hardware. Yanzi has worked closely with SICS and the Contiki teams for over ten years, and is using a newer, heavily modified version in our products.
Upon learning about the vulnerability, Yanzi quickly reviewed, remediated, and deployed fixed firmware to the global fleet of devices. Thanks to the layer 2 encryption and authentication present in the Yanzi version of Contiki, and some luck, the most severe attacks were not feasible against our devices. We later published an advisory with more details.
Once the public release date for Amnesia:33 approached, we were asked by the cybersecurity division of the German federal government if we would approve having our company name in the meta-advisory. This came as a surprise – surely responsibility is not optional?
Unfortunately, that turns out to be the case. According to an email, the collaborating international agencies had agreed to make publication optional. The CISA meta-advisory mentions only 13 vendors, out of the "150+" announced by the security researchers:
That leaves 137 unnamed vendors with products which still may be exploitable – and there is no way to know if your organisation is impacted by them.
IoT Security has made enormous strides in the last ten years. But if we ever intend to achieve a good standard, then we need to talk about – and shame – those vendors who do not deal with vulnerabilities transparently (or at all).
The exposed
[1] It would later be discovered that the agency had identified Yanzi through our release of Sparrow, an open-source implementation of the Yanzi application layer anno 2017 which is built on top of a vulnerable version of Contiki.