Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
7/22/2020
03:00 PM
Tanner Johnson
Tanner Johnson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Ripple20's Effects Will Impact IoT Cybersecurity for Years to Come

A series of newly discovered TCP/IP software vulnerabilities pose a threat to millions of IoT devices. Undiscovered since the early 1990s, they highlight the need to improve security in an increasingly precarious IoT supply chain.

While the modern-day Internet supports considerable security controls such as encryption, identification, and authentication, this was not always the case. Concerns regarding cybersecurity were largely absent during the initial development and deployment of the early Internet. As a result, many of today's commonly used security solutions have been designed and applied piecemeal. So it's no surprise that several newly discovered flaws in the underlying network stack infrastructure, unknown and unpatched since the late 1990s, have recently been discovered. The implications of such vulnerabilities can prove catastrophic for the perpetually growing IoT landscape.

An Israel cybersecurity company named JSOF has managed to uncover a series of zero-day vulnerabilities in an old TCP/IP software library. Vulnerabilities that exist, but are unknown to the affected product vendor, are commonly referred to as zero-day vulnerabilities. The nature of these flaws mean they are exploitable until the vulnerable systems are patched by the vendor. However, even if a patch is released, many updates (especially on older components) cannot be automatically executed, and require human interaction to install. As a result, zero-day vulnerabilities simultaneously pose the greatest threats to information security, while being viewed as the most sought-after prize for cybercriminals to attain and share.

In total, JSOF discovered 19 of these vulnerabilities, but named the batch of flaws Ripple20 to illustrate the "ripple effect" these security defects will have on connected devices for years to come. The specific flaws themselves were determined to have spawned from a Cincinnati-based organization named Treck Inc. Treck was responsible for developing a high-performance TCP/IP protocol suite for use in embedded systems by connected device manufacturers.

As a result of the suite’s popularity, the vulnerabilities were able to infiltrate the global markets unnoticed through the supply chain itself. For instance, JSOF determined that a joint collaboration between Treck and a firm named Elmic Systems, allowed the vulnerabilities to also propagate into the Japanese market more than 20 years ago.

When it comes to understanding the software flaws themselves, knowledge of two primary components of the vulnerability ecosystem are essential. These include the Common Weakness Enumeration (CWE) values, and the Common Vulnerability Scoring System (CVSS) values. While there many independent variables that dictate the overall classification of these values for each vulnerability in question, the CWE serves as a common language for describing the nature of the vulnerabilities themselves, while the CVSS scores provide a universal yardstick for measuring their overall severity.

With regard to the Ripple20 vulnerabilities, three of the most common CWE values are CWE-20, CWE-125, and CWE-200. CWE-20 impacts the ability of the system to effectively validate user input, potentially allowing an adversary to execute malicious code. A CWE-125 flaw could grant an adversary the ability to read memory outside the intended buffer. Lastly, a CWE-200 vulnerability could result in the potential exposure of sensitive information. Additionally, CVSS scores reflect not only the criticality of the flaw, but also the degree of knowledge required to exploit the flaw. Unfortunately, four of the Ripple20 flaws have a CVSS score of 9/10 or higher, meaning they can be weaponized for devastating impact without requiring considerable expertise from the attacker.

While JSOF has provided recommendations to help mitigate the risks of Ripple20, the overall reach and scope of the flaws have significant market implications. Adding greater complexity to this specific challenge is the age of the vulnerable infrastructure itself, as these zero-day vulnerabilities have managed to permeate into millions of products from over 100 vendors. Components utilizing the vulnerable network stack library have been discovered in industrial environments, healthcare, consumer, retail, utilities, aviation, enterprise, transportation, and even national security sectors.

The resulting impact of a successfully exploited Ripple20 vulnerability can take many forms. If the flaws were exploited properly, an attacker could gain total control over an internal network device, from outside the network perimeter through the internet facing gateway. If multiple vulnerable devices were discovered, an adversary could potentially broaden their attack to target all unpatched components simultaneously. Lastly, a vulnerable device could allow an attacker to exploit a vulnerable component for years, without ever being noticed. Depending on the type of device, the consequences of these attacks can range from annoying to potentially life threatening.

It should be noted that while Treck was quick to update its TCP/IP stack to a version that addresses these vulnerabilities, that was the easier part of the security fix. Unfortunately, even after being notified that their products are affected, installing the patch has proven difficult for many vendors. Furthermore, this remediation effort can prove impossible for vulnerable components still in use, but whose vendors are no longer in business after 20 years.

The effort of tracking down all vulnerable components and systems, through a supply chain spanning two decades, will remain a considerable forensic challenge in the coming years. And this represents just one series of flaws. When combined with similar vulnerabilities that have already been discovered, and those that have yet to be uncovered, the fragile state of the IoT supply chain becomes clear. Without a more concerted effort to improve IoT and network device security, throughout the entire lifecycle from development to deployment and through to retirement, the IoT landscape will remain nearly impossible to secure.

Related Content:

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Tanner Johnson is a cybersecurity analyst focused on IoT and transformative technologies at Omdia. His coverage is focused on examining the various threats that occupy the IoT technology domain, as well as opportunities and strategies that are emerging as data connectivity ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7700
PUBLISHED: 2020-08-14
All versions of phpjs are vulnerable to Prototype Pollution via parse_str.
CVE-2020-7701
PUBLISHED: 2020-08-14
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue.
CVE-2020-9228
PUBLISHED: 2020-08-14
FusionCompute 8.0.0 has an information disclosure vulnerability. Due to the properly protection of certain information, attackers may exploit this vulnerability to obtain certain information.
CVE-2020-9229
PUBLISHED: 2020-08-14
FusionCompute 8.0.0 has an information disclosure vulnerability. Due to the properly protection of certain information, attackers may exploit this vulnerability to obtain certain information.
CVE-2019-19643
PUBLISHED: 2020-08-14
ise smart connect KNX Vaillant 1.2.839 contain a Denial of Service.