When you throw a pebble into a pond, ripples spread out across the water from the point of impact. A similar effect occurs when you have a vulnerability in a technology that is widely used as a foundation for entire classes of devices. Researchers from Israeli security firm JSOF found such a flaw with Ripple20—a collection of hackable vulnerabilities that impact a broad swath of Internet of Things (IoT) devices.
Scope and Impact of Ripple20
IoT devices are an unseen threat that lurks in the corner of every network. There are literally hundreds of millions of IoT devices in use around the world running medical devices, uninterruptable power supplies, industrial automation, and other critical equipment.
A blog post from JSOF describing Ripple20 explains, “The JSOF research lab has discovered a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. The 19 vulnerabilities, given the name Ripple20, affect hundreds of millions of devices (or more) and include multiple remote code execution vulnerabilities. The risks inherent in this situation are high.”
This is one of the biggest and most significant vulnerability disclosures in years. These vulnerabilities are at the root of a long and complex supply chain. Flaws in core technologies are multiplies and amplified as the reach of the vulnerability grows, while also making it very difficult—if not impossible—to confidently track all permutations and vendors affected.
The Ripple20 vulnerabilities pose a significant risk if successfully exploited. At the time of writing, there are 21 confirmed vulnerable vendors, including Cisco, HP, Dell, Intel, and Rockwell Automation. An additional 52 vendors—names like Apple, IBM, Broadcom, and Sony—are continuing to investigate to determine the possible impact of Ripple20 on their products.
Mitigating Risk from Ripple20
IoT vendors need to determine if they are using a vulnerable Treck stack and take steps to understand the risks, update to the latest version of Treck, and disable vulnerable features on any devices that can’t be updated.
Organizations using IoT devices at risk from the Ripple20 vulnerabilities should start by updating vulnerable devices if possible. If there are vulnerable devices that can’t be updated, you should minimize network exposure for critical devices and make sure vulnerable devices can’t be accessed from the public internet. You should also take steps to identify and block anomalous IP traffic and block network attacks via deep packet inspection.
Protecting Alert Logic Customers
The Alert Logic team analyzed the Ripple20 vulnerabilities and was able to identify a telltale fingerprint of the Treck stack which is consistent across multiple hardware vendors. That enabled us to develop a single, efficient unauthenticated safe scan check to reduce exposure to risk from Ripple20 for Alert Logic customers.
Alert Logic recommends that customers review their scan reports for Ripple20 vulnerabilities and contact their IoT vendors for patches. Telemetry signatures has been deployed to Alert Logic sensors, which will allow us to spot unusual activity specific to this vulnerability. At this time, we have not seen any specific attacks in the wild.