Ripple20: Vulnerabilities in millions of IoT devices

Israeli experts claim that hundreds of millions of IoT devices contain critical vulnerabilities — and that’s the most conservative estimate.

Experts at Israeli company JSOF have discovered 19 zero-day vulnerabilities, some critical, affecting hundreds of millions of Internet of Things (IoT) devices. The worst part is that some devices will never receive updates. All of the vulnerabilities were found in the TCP/IP library of Treck Inc., which the company has been developing for more than two decades. The set of vulnerabilities is named Ripple20.

How does it affect you?

You may never have heard of Treck or its TCP/IP library, but given the number of affected devices and vendors, your corporate network probably includes at least one. The library is present in all kinds of IoT solutions, which means vulnerable IoT devices include items from home and office printers to industrial and medical equipment.

Treck’s creation is a low-level library that allows devices to interact with the Internet. Over the past 20 years, since the release of the first version, it has been used by numerous companies — most of the time it’s easier to take a ready-made library than to develop your own. Some simply applied it; others modified it to fit their needs or embedded it in other libraries.

Moreover, when searching for companies affected by Ripple20, the researchers found several cases in which the original purchaser of the library had changed its name. In some cases, it had been taken over by another company. Ultimately, assessing the actual number of devices that use this library is not straightforward. “Hundreds of millions” is a rough preliminary estimate. It could even be billions.

This rather complex supply chain is also the reason some devices will never get patched.

What are the vulnerabilities, and how are they dangerous?

The umbrella name Ripple20 covers a total of 19 vulnerabilities of varying degrees of criticality. The researchers have yet to release all of the technical details; they plan to do so at a Black Hat conference in late summer. It’s known, however, that at least four of the vulnerabilities are considered critical, having a CVSS score of more than 9.0.

Four more vulnerabilities not present in the latest version of the library do appear in previous iterations still used in devices — the library has been updated for reasons other than security, and many vendors continued to use older versions.

According to JSOF, some of the vulnerabilities allow attackers — who can lurk undetected for years — to take complete control of a device and use it to steal data from printers or change device behavior. Two critical ones allow remote execution of arbitrary code. A list of vulnerabilities and a video demo are available on the researchers’ website.

What to do

For companies that use the Treck TCP/IP library, the researchers recommend contacting the developers and updating the library to the latest version. If that’s not possible, disable all vulnerable functions on the devices.

As for companies that use vulnerable devices in their daily work, they face a daunting task. To start with, they need to determine if vulnerabilities are present in any equipment they use. That’s not as simple as it sounds, and it might require the assistance of regional CERT centers or vendors. In addition, companies are advised to:

  • Update the firmware of all devices (recommended anyway, regardless of new vulnerabilities).
  • Minimize Internet access of critical IoT devices;
  • Separate the office network from networks in which such devices are used (evergreen tip: Do that regardless);
  • Configure DNS proxies in networks with IoT devices.

For our part, we recommend using a reliable security solution able to detect abnormal activity in the corporate network. For example, that is one of Kaspersky Threat Management and Defense's many benefits.

Tips