A set of serious network security vulnerabilities collectively known as Ripple20 roiled the IoT landscape when they came to light last week, and the problems they pose for IoT-equipped businesses could be both dangerous and difficult to solve.\nRipple20 was originally discovered by Israel-based security company JSOF in September 2019. It affects a lightweight, proprietary TCP\/IP library created by a small company in Ohio called Treck, which has issued a patch for the vulnerabilities. Several of those vulnerabilities would allow for remote-code execution, allowing for data theft, malicious takeovers and more, said the security vendor.\nThat, however, isn\u2019t the end of the problem. The TCP\/IP library that contains the vulnerabilities has been used in a huge range of connected devices, from medical devices to industrial control systems to printers, and actually delivering and applying the patch is a vast undertaking. JSOF said that \u201chundreds of millions\u201d of devices could be affected. Many devices don\u2019t have the capacity to receive remote patches, and Terry Dunlap, co-founder of security vendor ReFirm Labs, said that there are numerous hurdles to getting patches onto older equipment in particular.\n\u201cHow many of these devices are sitting in some closet covered with five years of dust that hasn\u2019t been touched by human hands?\u201d he said. \u201cWhen you\u2019re dealing with threats to the TCP\/IP stack, you\u2019re talking about the fundamental networking core of these devices.\u201d\nEven discovering whether or not a company\u2019s networks are affected by the flaws can be a challenge, according to Brian Kime, a senior analyst at Forrester Research.\n\u201cNetwork vulnerability scanners have challenges in detecting flaws in those libraries,\u201d he said. \u201c[The flaws aren\u2019t] really advertised, sitting there, waiting for a connection to be made from outside.\u201d\nA conclusive determination as to whether a given company is using any vulnerable devices may require a deep dive into the supply chain, contacting vendors and subcontractors to see whether the particular TCP\/IP library is in use.\n\u201cIt\u2019s gonna be tough to fix the actual devices,\u201d Kime said. \u201cBceause it\u2019s embedded and because these vendors don\u2019t advertise all the software components that go into their devices, [companies] probably won\u2019t be able to identify just by looking at the vendor website.\u201d\nEfforts are already under way to patch affected devices, but it\u2019s a mammoth task, involving dozens upon dozens of companies at every level of the supply chain. Business will have to work closely with vendors, their suppliers and on down the chain just to identify their potential exposure to Ripple20.\nFor those vendors and OEMs with the option, Dunlap suggested that there are alternative options available. Instead of using a proprietary TCP\/IP library, companies could make use of one of the numerous open source options available.\n\u201cI don\u2019t understand what a proprietary stack is going to get you over the open source stack that\u2019s already out there,\u201d he said.\nThe silver lining is that there\u2019s no indication that it\u2019s being exploited in the wild at this point. That may change, as bad actors react to its being made public and develop potential exploits, but they still might have a difficult time taking advantage of Ripple20, according to Dunlap.\nMany of the most critical pieces of equipment that could be targeted using these vulnerabilities are not visible to the Internet at large and don\u2019t have a direct connection to it. So while an infrastructure attack a la Stuxnet is possible, it would have to be delivered in much the same way \u2013 via \u201csneakernet\u201d and an infected USB stick or another traditional malware delivery technique.\n\u201cA lot of these embedded systems that are vulnerable to this aren\u2019t public facing,\u201d he said. \u201cThey might be on an intranet, and if a company was the victim of a sophisticated phishing attack, that could open the door to an intruder.\u201d\nJSOF\u2019s official post on the matter contains additional specifics about what devices might be affected, which could offer a starting point to companies looking to avoid a breach.