Security researchers today disclosed 19 bugs affecting hundreds of millions of Internet of Things (IoT) devices. The "Ripple20" vulnerabilities, four of which are critical, exist in a low-level TCP/IP software library used by many manufacturers to connect their devices to the Internet via TCP/IP connections.
Researchers with Israeli cybersecurity consultancy JSOF began researching this library, built by a software company called Treck, in September 2019. It piqued the team's interest because they predicted it would be used in several types of connected devices, explains CEO and researcher Shlomi Oberman. Investigation revealed several serious flaws in all types of connected devices.
"We found it's pretty much everywhere, in terms of the IoT space," Oberman says. "We threw a stone in the pond, and ripples keep expanding, and every day we're learning of new vendors." The flaws are not named for their count, he adds, but for their ripple effect across industries.
JSOF has been working with Treck, the Computer Emergency Response Team Coordination Center (CERT/CC), and the Cybersecurity and Infrastructure Agency (CISA) in the disclosure process. While it was difficult to engage Treck at the start, JSOF says, the company ultimately took over the process of notifying its clients and developed a patch for Ripple20 by the end of March.
Vulnerable products include industrial control devices, printers, medical devices, power grids, home products, and retail devices. Ripple20 exists in the transportation, aviation, oil and gas, and government and national security sectors. Vendors affected include one-person boutique shops to Fortune 500 corporations: HP, Schneider Electric, Intel, and Rockwell Automation. When JSOF reached out to the Department of Homeland Security (DHS), they received a list of 70 to 80 vendors potentially at risk.
"Working with the DHS, and going after the supply chain vendor by vendor, we slowly realized how big of an issue this is," Oberman explains.
Inside Ripple20: The Most Critical Flaws
The vulnerabilities range in severity from small flaws with subtle effects to bugs that could enable denial of service or information disclosure if exploited, Oberman says. Two could lead to remote code execution, allowing attackers to take over a device and do whatever they want.
One of the more severe flaws is CVE-2020-11896 (CVSSv3 score 10), a remote code execution vulnerability that can be exploited by sending malformed IPv4 packets to a device supporting IPv4 tunneling. It affects any device running Treck with a specific configuration. Another is CVE-2020-11897 (CVSSv3 score 10), which can be triggered by sending multiple malformed IPv6 packets to a device. It affects any device running an older version of Treck with IPv6 support, JSOF reports. More information on the vulnerabilities can be found in the research team's full report.
An attacker would need to be on the network to exploit most of these vulnerabilities, Oberman says, but this usually isn't difficult because many IoT devices are already connected to the Internet by mistake. In some cases, a sophisticated attacker could target devices from outside the network. JSOF believes all vendors are vulnerable to at least one of the remote code execution flaws, with the exception of one vendor that made extensive changes to the code base itself.
How these vulnerabilities affect an organization depends on how the software is used. The Treck software library can be used as is, configured for a range of uses, or built into a larger library, researchers explain in a writeup of their findings. Someone could buy the library in source code format and edit it; the library could be integrated into a range of device types. A company that originally bought the library could rebrand or undergo an acquisition.
"Over time, the original library component could become virtually unrecognizable," the team writes. "This is why, long after the original vulnerability was identified and patched, vulnerabilities may still remain in the field, since tracing the supply chain trail may be practically impossible." Many affected organizations may have no idea they're vulnerable to bugs in a software library that has been making its way into connected devices for 20 years.
While patches are now available for the Ripple20 vulnerabilities, researchers are still working to identify vulnerable devices. One of the coordination organizations that JSOF worked with said it could be two years before all of the affected devices are discovered, Oberman says.
How One Affected Vendor Responded
JSOF informed Digi International of Ripple20 in February, says information security officer Donald Schleede. The IoT technology provider soon started looking at aspects of the flaws and began the public disclosure process, which he says is typically within 90 days. However, because customer concerns and compliance standards demand 30 days' notice for any vendor, the timeline for addressing critical flaws amounts to less than 60 days.
"These products are older products," says Schleede. "It's a code base that has been out there for a while." Working with the JSOF researchers, Digi went through and addressed each of the necessary code fixes and then did a code audit to verify whether flaws were attackable or not.
Ripple20 affected lines of Digi products. One was its boxed products, which customers buy and then Digi provides the firmware. The other consists of embedded boards, which customers integrate into their products. and Digi provides the code. All were patched by late April, and organizations were notified via enterprise management system. Schleede says many customers, especially in the industrial space, don't want automatic updates because they can interfere with processes.
When asked about the likelihood of vulnerabilities being exploited, Schleede says "it's hard to narrow this one down." The firm identified about 22 code fixes, the implications for which vary depending on how they're used. Attacks targeting the availability of data are "probably the hardest to protect against but the easiest attack." However, those affecting data confidentiality and integrity are both more dangerous and difficult to pull off.
"If data is being stolen and you don't know where it's coming from, it's pretty critical," he adds.
The worst-case scenario vulnerabilities in Ripple20 were difficult to exploit because they require extensive knowledge about the target device. Schleede says he spent three days with engineers trying to replicate the most destructive attacks with no success. If he wanted to launch an attack to knock systems offline, he says it would be much easier.
"It's going to be different for different devices and how protections are designed," he explains. For vendors affected by Ripple20, he advises putting a strong security testing program in place.