Microsoft Announces BadAlloc, Family of Flaws in IoT Devices

Posted inIoT, Security, Vulnerability

BadAlloc is a critical memory-allocation family of vulnerabilities impacting IoT devices. The flaws affect both consumers and businesses alike, fixes are available for some infected devices.

In the past, we have discussed that IoT devices do not have their own built-in security. During that discussion, we suggested that it is a good idea for business leaders to have a separate network for IoT devices, one that does not touch any other business function. Threat actors have the ability to jump from access point to access point once on a network, so cutting off weak spots reduces surface area. Why is this the recommendation? Last week, Microsoft announced 25 novel, critical memory-allocation vulnerabilities across IoT devices. Situations like this are exactly why those separate networks matter.

Microsoft’s research team named the family of vulnerabilities “BadAlloc.” The flaws affect consumer, medical and industry IoT devices, operational technology and industrial controls systems.

“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations,” according to the report published by the Microsoft Security Response Center. “Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.”

These problems appear to be systemic, so there are different aspects of devices which can be affected. RTOS, SDKs and libc implementations are included in areas of devices which can be impacted. The researchers said that since IoT and OT devices are highly pervasive, “these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds.”

There is good news, though, and that is that none of the vulnerabilities has yet been exploited in the wild. That’s likely to change relatively quickly with this announcement, but it does give business owners and leaders a tiny window of time to adjust their network settings and verify their IoT devices are properly secured. Vendors of affected devices have been notified, but they will need to investigate if their products need a patch or not. The Cybersecurity Infrastructure and Security Agency has a full list of the 25 affected devices, 15 of which already have updates in place. The rest either plan to release a fix at a later date or have no plans to fix it.

Any business with IoT devices on-premise needs to look at the above list. If your business uses any of the devices included, it should be immediately disconnected from the internet. If it has a patch already in place, then it can be reconnected once the patch is applied. If the device doesn’t have a fix yet, it’s really important to keep that device away from any network that touches sensitive business information. And if it’s a device that isn’t going to receive a fix, it might be time to look for a more secure replacement.

As we have discussed in the past, IoT devices should always have their own network. Before allowing an IoT device into your place of business, it’s important to see how you must secure it first. If the device doesn’t require a username and password, keeping it on a separate network from other devices is critical. If it does, make sure that username and password are strong, the harder an attacker has to work to get into a device, the quicker they will move on to easier targets. All IoT devices should be secured as tightly as possible, just like anything else in your business, even when they are on a separate network.

IoT devices come with a lot of risks, often risks that business owners don’t consider for a variety of reasons. Many of those reasons are due to business owners and business leaders being pulled in many directions throughout the day. Don’t let the security of your business fall by the wayside because you didn’t have the time or staff to make it secure. Hire an expert, consult someone who knows exactly how to make your business as secure as possible. Once you find that person and they do their job, make sure they’ve trained your staff, or at least department heads, on the security measures and how to maintain them, along with any phone numbers to call for needed support in the future.

Don’t mess around with your livelihood and the livelihoods of your employees. Secure your business with many layers, and keep anything with subpar security on a separate network from business systems.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY