A patch is available to counter Ripple20, but the security flaw affecting a TCP / IP library used by millions of IoT devices will be difficult to correct.
Discovered last week, the series of critical network security vulnerabilities dubbed Ripple20 has rocked the world of IoT. If the memory corruption fault dangerously exposes the IoT devices of equipped companies, it is also difficult to solve. Discovered in September 2019 by the Israeli security company JSOF, the Ripple20 vulnerability affects the proprietary network protocols developed by a small Ohio company called Treck and integrated into a TCP / IP library. “Several of these vulnerabilities could allow remote code execution, resulting in data theft, malicious takeovers, and more,” said JSOF.
But the problem does not end there. The TCP / IP library affected by these vulnerabilities is used by a large number of connected devices, from medical devices to industrial control systems to printers, IP cameras and videoconferencing systems. But deploying and applying the patch delivered by Treck – it fixes the 19 flaws identified – is no small task. According to JSOF, “hundreds of millions” of devices could be affected. “But many of them are not designed to receive remote patches,” said Terry Dunlap, co-founder of security provider ReFirm Labs. Indeed, many obstacles prevent the application of patches, in particular on old equipment. “How many devices like this have been forgotten in a closet for years without ever being moved or checked? These potential attacks on the TCP / IP stack directly threaten the network core of these devices, ”he added.
Difficulties difficult to detect
“Knowing whether a company’s networks are affected by these vulnerabilities or not is a challenge in itself,” added Brian Kime, senior analyst at Forrester Research. “Network vulnerability scanners have a hard time detecting vulnerabilities in these libraries,” he said. “These flaws are not really visible and do not manifest themselves when a connection is established with the outside.” To find out if a company is using vulnerable devices, a deep dive into the supply chain may be necessary. To do this, the company must contact the suppliers and subcontractors of its equipment to find out whether they have used the TCP / IP library involved in their product. “It will be difficult to repair the existing devices,” added Kime. “Because this library is integrated and suppliers do not provide details of all the software components they put in their devices, it is likely that companies will not be able to find this information by simply consulting the supplier’s website” .
Operations are already underway to repair the affected devices, but the task is enormous, as it involves dozens and dozens of companies at all levels of the supply chain. To find out if they are potentially exposed to the Ripple20 vulnerability, companies will need to work closely with vendors, their suppliers, and anyone who may have been involved in the product’s supply chain. Dunlap suggests that vendors and OEMs whose products use the proprietary TCP / IP library use one of the many open source options available instead. “A proprietary stack does nothing more than the existing open source stack,” he said. Reassuring point: nothing indicates at this stage that the Ripple20 vulnerability is exploited. But that could change, as malicious actors don’t wait long before developing exploits after the flaws have been made public. However, Dunlap believes they are not yet ready to take advantage of Ripple20.
Identify the IoT devices concerned
Fortunately, too, the most critical devices affected by the vulnerability and which can be targeted by attackers are not visible on the Internet in general and have no direct connection to it. Thus, to carry out a Stuxnet attack, quite possible in this case, the attacker will have to adopt roughly the same modalities, either via “sneakernet” and an infected USB key or by relying on another conventional technique malware delivery. “Many of these on-board systems vulnerable to Ripple20 are not available to the public,” said Dunlap. “However, they can be connected to an intranet, and if a company is the victim of a sophisticated phishing attack, an intrusion is not impossible.” In an official post, the JSOF company provided additional information on which IoT devices could be affected. They can help companies identify their devices and avoid data breaches.