“Full-on supply chain disaster”: Hundreds of millions of IoT devices hit by Ripple20 flaws

News by Rene Millman

Nearly 20 zero day vulnerabilities in TCP/IP library, including critical vulnerabilities in the DNS protocol, could result in remote control of devices - impact, magnified by supply chain dissemination

Security researchers have discovered nearly 20 vulnerabilities in the TCP/IP library used by IoT devices. The flaws could potentially affect hundreds of millions of devices worldwide.

Called Ripple20, the array of  zero-day vulnerabilities were found in the comms stack developed by Treck.

According to a blog post by JSOF, four of the Ripple20 vulnerabilities are rated critical, with CVSS scores over nine and enable Remote Code Execution. “One of the critical vulnerabilities is in the DNS protocol and may potentially be exploitable by a sophisticated attacker over the internet, from outside the network boundaries, even on devices that are not connected to the internet,” researchers said.

Researchers noted the “incredible extent” of its impact, magnified by the supply chain.

“The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain “ripple-effect”. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people,” they said.

Researchers said that the flaw affected a diverse set of vendors, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors.

Since being notified, Treck has issued a patch to OEMs.

“While the best response might be to install the original Treck patch, there are many situations in which installing the original patch is not possible. CERTs work to develop alternative approaches that can be used to minimise or effectively eliminate the risk, even if patching is not an option,” said researchers.

Craig Young, senior security researcher at Tripwire, told SC Media UK that the situation is a “full-on supply chain disaster”.

“The affected code has apparently permeated out into many products across different verticals including some system-on-module components which in turn are embedded into other products. This is further compounded by the general difficulties often encountered when vendors need to update embedded device components. It is reasonable to expect that many devices will never have fixes available and others will take extended times as fixes work their way through the supply chain. It is not uncommon to see embedded devices without any capability for field upgrades,” he said.

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, told SC Media UK that as more ‘smart’ devices that control sensitive operations like smoke detection, heating and cooling, or even just power outlets are incorporated into homes and offices the risk of them getting hacked can quickly transform from a small annoyance to very real safety issues.

“Even if the IoT devices themselves do not contain any sensitive information, their very presence on a computer network gives an attacker able to compromise them a much more effective vantage point to launch attacks on computers systems that do. Unfortunately, many embedded or IoT devices will not ever receive patches to fix this or future security issues discovered due to abandonment by the manufacturer or even the manufacturer going out of business,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews