Project Memoria and flaws in embedded TCP/IP stacks

Many consumer IoT devices nowadays, such as routers, modems, network-attached storage (NAS) boxes, and network video recorders (NVRs) use firmware based on the Linux kernel. But industrial and medical embedded devices still rely on proprietary real-time operating systems (RTOSes) such as VxWorks for their firmware.

Even though this means there is more firmware diversity in the industrial IoT world, there are still some components that can be shared by different RTOSes, including TCP/IP stacks. These complex codebases implement some of the Internet’s core protocols — DNS, HTTP, FTP, ARP, ICMP, etc. — and were written decades ago as proprietary libraries that were then sold to embedded operating system vendors.

In 2020, researchers from security firm Forescout in collaboration with universities and other companies launched a project to analyze proprietary TCP/IP stacks used in industrial devices. Known as Project Memoria, the research lasted 18 months and led to the discovery of 104 vulnerabilities, many critical, in multiple TCP/IP stacks and libraries used in over 250,000 embedded device models from more than 500 vendors.