• The Singapore authorities on Thursday issued an alert on an internet vulnerability collectively called Name:Wreck
• An American cyber-security firm said an estimated 100 devices could be prone to attack by hackers
• It is the responsibility of companies with internet servers to install software updates to protect themselves, experts said

SINGAPORE — More than 100 million internet-connected devices such as medical equipment, wearable fitness products and printers may be at risk due to a vulnerability that could allow hackers to take them offline or gain control over them.

The Cybersecurity Agency of Singapore’s Singapore Computer Emergency Response Team (SingCert) issued an alert on Thursday (April 15) on the vulnerability, collectively called Name:Wreck.

American cyber-security firm Forescout Research Labs, which found the flaw, said that not all internet-connected devices are vulnerable to the weakness.

If only 1 per cent of the more than 10 billion devices are vulnerable, then an estimated 100 million devices will be impacted, and this is a conservative estimate.

But should the man-on-the-street be concerned?

TODAY speaks to experts to find out how the vulnerability can be exploited, what consequences are there, and what can be done to solve this issue.

WHAT IS THE THREAT?

The vulnerability originated from a bug within Domain Name System (DNS) servers.

These servers are like the internet’s phonebook, converting domain names such as www.example.com into Internet Protocol addresses, which is a chain of numbers so that browsers can load internet resources.

Forescout Research Labs, in partnership with Israeli cyber-security firm JSOF Research, discovered a set of nine DNS vulnerabilities on Tuesday.

Even then, Mr Ali Fazeli, founder of cyber-security firm Infinity Forensics, told TODAY that the bug could have already been there for days and even months before the discovery.

He said that hackers will be able to breach the systems in two ways — by denial-of-service attack where the hacker indefinitely disrupts service of a host connected to the internet, or a remote code execution attack, where an attacker can access device functions remotely.

“The moment you are able to control the system remotely, you are able to compromise the data, steal the data, you are able to do many things,” Mr Fazeli said.

HOW SERIOUS IS THE THREAT?

The hackers will not only be able to access computers connected to the internet, but any other device that is linked to it, experts said.

Mr Terence Siau, vice-president of cyber-security firm ABPGroup, said that these devices can be anything ranging from closed-circuit television (CCTV) systems, printers, and even medical equipment such as ultrasound machines, all of which can be connected to the internet.

Theoretically, the vulnerability acts as an “entry point” to certain devices and hackers may then employ other malicious tactics to compromise them, Mr Siau said.

“If they are able to compromise operating theatre data, they may be able to view the different health records of the patients.”

Mr Siau added that in theory, the hackers could also manipulate the functioning of the devices.

On this, Mr Lim Yihao, a principal threat intelligence advisor at Mandiant Threat Intelligence, said that it lead to grave outcomes especially in the medical field, but it is only a theoretical understanding of the vulnerability and not something that has been proven in reality yet. 

“These (findings) are being published by researchers under controlled environments. Whether or not this can be done in real life, this is yet to be seen,” Mr Lim said.

“We should be cautious, but we shouldn't be panicking.”

WHAT CAN BE DONE ABOUT IT? 

SingCert on Thursday said that security patches have been rolled out to address the vulnerabilities.

Security patches are the primary method to fix the software vulnerabilities.

Experts said that it is the responsibility of companies who host these DNS servers to install these patches to update their software.

Mr Lim said that besides installing the patches, companies should also monitor all network traffic for malicious activities that could be coming from the DNS servers.

Then, firms should also make sure that they protect “crown jewel” data with more safeguards such as firewalls and intrusion detection systems. Such crucial data include patient data at hospitals or personal data of clients for banks.

SHOULD ONLINE USERS BE CONCERNED?

The installation of patches is not the responsibility of the average individual.

“The DNS servers are controlled by corporations, most individual users cannot (control) that,” Mr Fazeli said.

Therefore, for those at home, there is no need to worry about this development, the experts said.

Instead it is up to the broadband provider — likely the telecommunications companies — to ensure that they install the latest patches, to keep their customers safe from these vulnerabilities.

While protecting internet-connected devices from this particular vulnerability may be beyond a user's control, it will not hurt to have basic safeguards to fend off other bugs.

Mr Siau said: “We can perform basic cyber-security hygiene such as installing antivirus for our laptops and desktops.”