As the COVID-19 pandemic passes more somber fatality milestones and our global society strive to return to some kind of normality, other issues like cybersecurity persist and increase. Last week, JSOF Research Lab uncovered a series of 19 zero-day vulnerabilities that could impact hundreds of millions of IoT devices. Collectively named “Ripple20,” the vulnerabilities were found in a TCP/IP stack that is widely embedded in enterprise and consumer-grade products including transportation systems and power grids, as well as industrial and commercial buildings.
“The interesting thing about Ripple20 is the incredible extent of its impact, magnified by the supply chain factor. The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain “ripple-effect”. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people,” said the JSOF report on the discovery.
“The risks inherent in this situation are high,” the report continued. “Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks.”
The Cybersecurity and Infrastructure Security Agency (CISA) rates six of the 19 bugs between 7 and 10 on the CVSS score, where 10 represents the most severe vulnerability. Two of those six bugs scored a 10 out of 10. In its advisory, CISA “recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities,” such as protecting vulnerable devices with firewalls and removing any connections to the public internet.
Not completely unlike COVID-19, the risks of Ripple20 are great but the real problem is its ability to spread. Being present in a principal TCP/IP stack by Treck Inc. the Ripple20 issue has been able to branch out across the world using our supply chains. As a result, Ripple20 has already reached critical IoT devices in various sectors. The range of impacted vendors includes one-person boutique shops to Fortune 500 multinational corporations — it seems that few have escaped the ripple effect.
“The software library spread far and wide, to the point that tracking it down has been a major challenge. As we traced through the distribution trail of Treck’s TCP/IP library, we discovered that over the past two decades this basic piece of networking software has been spreading around the world, through both direct and indirect use. As a dissemination vector, the complex supply chain provides the perfect channel, making it possible for the original vulnerability to infiltrate and camouflage itself almost endlessly,” the JSOF report explains.
“We even discovered different branches in different geographic areas. Back in the 1990s, Treck collaborated with a Japanese company named Elmic Systems. They later split apart and went their separate ways. This resulted in two separate branches of the TCP/IP stack devices – one managed by Treck and one managed by Elmic Systems – marketed in totally separate areas, with no contact between them,” JSOF continued. The Israeli company has now been invited to speak about these vulnerabilities at the Black Hat USA, August 2020 event.
These 19 hackable bugs that now appear to pose a foundational threat to the IoT as a whole, were put into code sold by a little known Ohio-based software company called Treck Inc., a provider of software used in internet-of-things devices. JSOF's researchers found one bug-ridden part of Treck's code, built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet. The code has been part of the devices from over 10 major manufacturers, including HP, Intel, Rockwell Automation, Caterpillar, and Schneider Electric.
"Not that many people have heard of this company, but they are a leading provider of TCP-IP stacks, so they're at the beginning of a really complex supply chain. The vulnerabilities in the stack got amplified by the ripple effect of the supply chain, so that they exist in pretty much any type of connected device I can think of. An attacker can take complete control of any of the affected devices. It just depends on the device and your imagination," says JSOF CEO Shlomi Oberman.
"It’s pretty safe to assume some of these devices can’t be updated, or some of the companies have ceased operations," JSOF’s Oberman told Wired, adding that it may take months or even a year to identify the full spectrum of companies and devices that include the buggy code. "This is maybe just the beginning of the end of the story," Oberman warned.
JSOF has certainly discovered something big but many in the industry are playing down its potential IoT-destroying impact. Intel put out an official statement claiming it had fixed four of the vulnerabilities in an update earlier this month, and suggested that the bugs "require a nonstandard configuration for systems to be vulnerable," adding that, "at this time, Intel is not aware of any customers using this configuration."
Donald Schleede, Information Security Officer at embedded device firm Digi, another user of the TCP/IP stack in question, said they were unable to replicate some of the attacks that JSOF describes, arguing that attacks would have to be customized for each vulnerable device. "It's very device-dependent and very firmware-version-dependent. Even though we couldn’t replicate it, we moved forward. We knew that a code review needed to happen."
While, Treck Inc. the company at the eye of the storm, said: “We’ve recently been made aware of an independent security researcher’s work that resulted in the reporting of a group of vulnerabilities, of which Treck acted upon immediately. Treck has fixed all issues that were reported and made them available to our customers either through our newest code release, or patches."
It may be a while before we understand this new/old risk landscape, but some of JSOF peers offer a more balanced view. Jatin Kataria, principal research scientist of Red Balloon Security, who reviewed JSOF’s findings., for example, agreed with the existence of the bugs, but says it is far less clear how hackable the devices in question really are. In a search for devices vulnerable to Ripple20, Kataria only found a few thousand that appeared to be exposed on the internet, in contrast to the over 100,000 that JSOF has claimed.
"All these problems show that they [Treck] haven't passed any kind of standardization, they haven't followed any rules or safe coding guidelines," says Kataria. "To reach these devices, that’s a different question, but if the attacker has access to these devices, it’s pretty bad. This is a problem for the whole industry, and it's something that needs to be fixed."