Potentially billions of IoT devices at risk from Ripple20 attacks – major brands are flagged
Security experts have identified a series of 19 vulnerabilities, given the name Ripple20, in a small software library integrated into “hundreds of millions”, and potentially billions, of IoT devices that have been sold into consumer, enterprise and industrial markets during the past two decades.
Israeli security firm JSOF said this week that IoT devices from Caterpillar, Cisco, HP, HPE, Intel, Rockwell, Schneider Electric, and Digi, among others, are vulnerable to remote hacks by cyber-criminals. The vulnerable TCP/IP software stack was sold by an Ohio-based software company called Treck.
JSOF said it had struggled to track down the software library in the supply chain, calling it a “major challenge”. It said: “Many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy, telecom, retail and commerce, and other industries,” it said.
Devices from the likes of BAE Systems, Broadcom, Fraunhofer, Itron, Lockheed Martin, Marvell, and NVIDIA remain under investigation. Devices by Amd, GE Healthcare, Laird, Philips, Texas Instruments, and Zebra Technologies have been confirmed as unaffected.
Most of the “zero-day” vulnerabilities in the code are caused by memory management bugs, and date back to the 1990s. JSOF stated: “The number of devices that contain the vulnerable code base library is only a preliminary estimate; the number may realistically be in the billions.”
The software has “spread around the world” during the past two decades, it said. “As a dissemination vector, the complex supply chain provides the perfect channel, making it possible for the original vulnerability to infiltrate and camouflage itself almost endlessly.”
All organisations must perform a comprehensive risk assessment before deploying defensive measures, said JSOF. (Its full recommendation is contained on its website.) Treck, which worked with JSOF on the research, recommends users upgrade to the latest stable version of its software stack (version 220.127.116.11 or later).
JSOF has highlighted the “extent of [the] impact, magnified by the supply chain factor”; its name was given for its ripple-effect across the supply chain. JSOF said: “In all scenarios, an attacker can gain complete control over the targeted device remotely, with no user interaction required.”
It added: “The risks inherent in this situation are high… A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people.”
It highlighted certain examples: data could be accessed and stolen remotely from printers, infusion pumps, and industrial control devices, it said. “An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks.”
JSOF will issue a white-paper on its findings at BlackHat USA 2020 in August.
The US Cybersecurity and Infrastructure Security Agency (CISA) said it is aware of the vulnerabilities, and flagged Treck’s upgrade path. It also said users should take certain defensive measures to minimise the risk of exploitation of this vulnerability.
Natali Tshuva, chief executive at Sternum, another Israeli cyber-security firm, commented: “The Ripple20 vulnerabilities in IoT devices are significant and widespread, making data and device security the most important IoT cybersecurity issue of our time.
“What’s even more problematicis the fact that the affected library wasn’t only used by IoT device vendors directly, but also integrated into software suites, meaning that many companies using this software are not aware that they are using this particular piece of code. Because of these third-party vulnerabilities, major vendors are now exposed to potential damage and financial loss
“Ultimately, only IoT device manufacturers can solve these cybersecurity issues, as companies that deploy IoT devices are typically unable to install protection or update the security of the devices. This is why we are seeing (and will continue to see) legislation and regulations moving towards shifting liability onto the device manufacturers themselves.”