Ripple20 TCP/IP flaws can be patched but still threaten IoT devices

A set of serious network security vulnerabilities collectively known as Ripple20 roiled the IoT landscape when they came to light last week, and the problems they pose for IoT-equipped businesses could be both dangerous and difficult to solve.

Ripple20 was originally discovered by Israel-based security company JSOF in September 2019. It affects a lightweight, proprietary TCP/IP library created by a small company in Ohio called Treck, which has issued a patch for the vulnerabilities. Several of those vulnerabilities would allow for remote-code execution, allowing for data theft, malicious takeovers and more, said the security vendor.

That, however, isn’t the end of the problem. The TCP/IP library that contains the vulnerabilities has been used in a huge range of connected devices, from medical devices to industrial control systems to printers, and actually delivering and applying the patch is a vast undertaking. JSOF said that “hundreds of millions” of devices could be affected. Many devices don’t have the capacity to receive remote patches, and Terry Dunlap, co-founder of security vendor ReFirm Labs, said that there are numerous hurdles to getting patches onto older equipment in particular.

“How many of these devices are sitting in some closet covered with five years of dust that hasn’t been touched by human hands?” he said. “When you’re dealing with threats to the TCP/IP stack, you’re talking about the fundamental networking core of these devices.”

Even discovering whether or not a company’s networks are affected by the flaws can be a challenge, according to Brian Kime, a senior analyst at Forrester Research.

“Network vulnerability scanners have challenges in detecting flaws in those libraries,” he said. “[The flaws aren’t] really advertised, sitting there, waiting for a connection to be made from outside.”

A conclusive determination as to whether a given company is using any vulnerable devices may require a deep dive into the supply chain, contacting vendors and subcontractors to see whether the particular TCP/IP library is in use.

“It’s gonna be tough to fix the actual devices,” Kime said. “Bceause it’s embedded and because these vendors don’t advertise all the software components that go into their devices, [companies] probably won’t be able to identify just by looking at the vendor website.”

Efforts are already under way to patch affected devices, but it’s a mammoth task, involving dozens upon dozens of companies at every level of the supply chain. Business will have to work closely with vendors, their suppliers and on down the chain just to identify their potential exposure to Ripple20.

For those vendors and OEMs with the option, Dunlap suggested that there are alternative options available. Instead of using a proprietary TCP/IP library, companies could make use of one of the numerous open source options available.

“I don’t understand what a proprietary stack is going to get you over the open source stack that’s already out there,” he said.

The silver lining is that there’s no indication that it’s being exploited in the wild at this point. That may change, as bad actors react to its being made public and develop potential exploits, but they still might have a difficult time taking advantage of Ripple20, according to Dunlap.

Many of the most critical pieces of equipment that could be targeted using these vulnerabilities are not visible to the Internet at large and don’t have a direct connection to it. So while an infrastructure attack a la Stuxnet is possible, it would have to be delivered in much the same way – via “sneakernet” and an infected USB stick or another traditional malware delivery technique.

“A lot of these embedded systems that are vulnerable to this aren’t public facing,” he said. “They might be on an intranet, and if a company was the victim of a sophisticated phishing attack, that could open the door to an intruder.”

JSOF’s official post on the matter contains additional specifics about what devices might be affected, which could offer a starting point to companies looking to avoid a breach.