The two vulnerabilities in question are Remote Code Execution (RCE) vulnerabilities, which would give attackers a way to control devices remotely if they contain the vulnerability. In the original report, JSOF found two RCE vulnerabilities which were demonstrated separately on two different devices; notably, both CVEs were never demonstrated on the same device. After performing their own testing, the Finite State team never observed an individual device that was affected by both CVEs as their documented RCE effect. Instead, the CVE effect was either a DoS (Denial of Service), Information Leak, or nothing at all.
Finite State CEO Matt Wyckhouse explains that part of discrepancy between the JSOF report and these new results stems from the way that the Treck stack is utilized. “You can’t just look up a version of the Treck stack. There’s no way to do that comprehensively, because there’s no such thing as a single version of Treck. Developers pull parts of the stack out and use them piecemeal, which means it’s critical that you test each device to verify these types of vulnerabilities.”
In the whitepaper, Critchley and co-author Hahna Latonick, who serves as the Director of Security Research at Finite State, acknowledge that verification of vulnerabilities in embedded software at a large scale is difficult for both device manufacturers and asset owners. “Most product security teams lack the proper tooling,” they write, though Finite State offers verification as part of their comprehensive product security platform. Still, they emphasize that “it’s crucial that we have a system in place that can do so quickly and accurately to prevent over-exaggerated security responses.” Latonick adds, “we as a community currently don’t have solutions in place that are mature enough to address these issues at scale with speed and efficacy. We’ve developed one solution, which we’ve outlined in this paper, but ultimately we need to collectively be doing our due diligence on how vulnerabilities are reported and addressed.”
Ultimately, Wyckhouse says, the company’s aim was not to trump JSOF’s research. “We want to make clear that this is a systemic issue in the way we write and publish CVEs. The vulnerabilities are real and the research that JSOF did was absolutely necessary. The problem is that the way we currently measure and report the severity of magnitude of vulnerabilities does not work for IoT and other connected devices. It’s our job as a community to recognize that and move toward a better system.”