Spilling the Memory Beans Overflowing Data and Instructions Can Cause Havoc

You don’t have to be an expert to know that memory chips are fundamental for computers to function. Each application you run on a system is programmed to ask for a segment of memory to load and store instructions and data for the processor to operate on. Invading the space of a different application or program leads to a memory-corruption-type of vulnerability.

This type of security bug typically arises from programming errors, which are quite common in the Internet-of-Things. It’s known in the security industry as a buffer overflow. The glitch can cause unauthorized changes to a device’s memory contents, often generating crashes or unwanted behavior that could jeopardize the owner’s control over the gadget, temporarily or permanently.

Hackers can trigger a buffer overflow by providing the targeted application more input than it is meant to store in its memory slot. As complicated as it all may seem, an oversimplified analogy could make the term easier to understand. Think of the memory slots as a series of adjacent private pools, and the data they store as water and people having fun in it.

Say the administrator of the pools trusts the customers to manage themselves and fill the containers to a limit he or she tells them. The restriction would protect the privacy of the groups in the neighboring pools. Without proper control, the limit can be ignored. The excess water might allow people to invade the private space of others, and it might make the pool unstable and even collapse it.

Someone intentionally disregarding the warning would try to fill the pool until it spills into the adjacent space, allowing them to see what another group does for fun, and even cross over. Similarly, a hacker would test the controls to see if the effect would let them move into the memory space of another application and glean information, extract or manipulate it.

Computer memory slots are not fixed in size, so one amendment to the analogy would be that the pools can grow or shrink to accommodate the number of party members. This way, the administrator can create them as large or as small as the customers demand. Also, it is called buffer vulnerability because it affects data that waits in a temporary location to move from one place to another or between processes.

This sort of flaw is present on all sorts of devices, smart ones included. Last year, Bitdefender published research on a connected doorbell and an IP camera with code vulnerable to buffer overflows that allowed remote code execution. Another study warned about such a glitch in millions of IoT systems.

Most of the time, your defense against this threat is limited to waiting for the manufacturer to release new firmware that solves the issue. Bitdefender BOX covers this window of risk by identifying the IoT devices on your network, the flaws they are susceptible to, and by blocking exploitation attempts headed towards any node on your home network.

One comment

  • By Paul Zamora - Reply

    This is stupid

  • Add Comment

    Your email address will not be published. Required fields are marked *