Menu
Ripple20 TCP/IP flaws can be patched but still threaten IoT devices

Ripple20 TCP/IP flaws can be patched but still threaten IoT devices

A serious security flaw in a TCP/IP library used by thousands upon thousands of IoT devices remains difficult to address even though a fix exists.

Credit: Dreamstime

A set of serious network security vulnerabilities collectively known as Ripple20 roiled the IoT landscape when they came to light last week, and the problems they pose for IoT-equipped businesses could be both dangerous and difficult to solve.

Ripple20 was originally discovered by Israel-based security company JSOF in September 2019. It affects a lightweight, proprietary TCP/IP library created by a small company in Ohio called Treck, which has issued a patch for the vulnerabilities. Several of those vulnerabilities would allow for remote-code execution, allowing for data theft, malicious takeovers and more, said the security vendor.

That, however, isn’t the end of the problem. The TCP/IP library that contains the vulnerabilities has been used in a huge range of connected devices, from medical devices to industrial control systems to printers, and actually delivering and applying the patch is a vast undertaking. JSOF said that “hundreds of millions” of devices could be affected. Many devices don’t have the capacity to receive remote patches, and Terry Dunlap, co-founder of security vendor ReFirm Labs, said that there are numerous hurdles to getting patches onto older equipment in particular.

“How many of these devices are sitting in some closet covered with five years of dust that hasn’t been touched by human hands?” he said. “When you’re dealing with threats to the TCP/IP stack, you’re talking about the fundamental networking core of these devices.”

Even discovering whether or not a company’s networks are affected by the flaws can be a challenge, according to Brian Kime, a senior analyst at Forrester Research.

“Network vulnerability scanners have challenges in detecting flaws in those libraries,” he said. “[The flaws aren’t] really advertised, sitting there, waiting for a connection to be made from outside.”

A conclusive determination as to whether a given company is using any vulnerable devices may require a deep dive into the supply chain, contacting vendors and subcontractors to see whether the particular TCP/IP library is in use.

“It’s gonna be tough to fix the actual devices,” Kime said. “Bceause it’s embedded and because these vendors don’t advertise all the software components that go into their devices, [companies] probably won’t be able to identify just by looking at the vendor website.”

Efforts are already under way to patch affected devices, but it’s a mammoth task, involving dozens upon dozens of companies at every level of the supply chain. Business will have to work closely with vendors, their suppliers and on down the chain just to identify their potential exposure to Ripple20.

For those vendors and OEMs with the option, Dunlap suggested that there are alternative options available. Instead of using a proprietary TCP/IP library, companies could make use of one of the numerous open source options available.

“I don’t understand what a proprietary stack is going to get you over the open source stack that’s already out there,” he said.

The silver lining is that there’s no indication that it’s being exploited in the wild at this point. That may change, as bad actors react to its being made public and develop potential exploits, but they still might have a difficult time taking advantage of Ripple20, according to Dunlap.

Many of the most critical pieces of equipment that could be targeted using these vulnerabilities are not visible to the Internet at large and don’t have a direct connection to it. So while an infrastructure attack a la Stuxnet is possible, it would have to be delivered in much the same way – via “sneakernet” and an infected USB stick or another traditional malware delivery technique.

“A lot of these embedded systems that are vulnerable to this aren’t public facing,” he said. “They might be on an intranet, and if a company was the victim of a sophisticated phishing attack, that could open the door to an intruder.”

JSOF’s official post on the matter contains additional specifics about what devices might be affected, which could offer a starting point to companies looking to avoid a breach.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments