Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:00 PM
Tanner Johnson
Tanner Johnson
Connect Directly
E-Mail vvv

Ripple20's Effects Will Impact IoT Cybersecurity for Years to Come

A series of newly discovered TCP/IP software vulnerabilities pose a threat to millions of IoT devices. Undiscovered since the early 1990s, they highlight the need to improve security in an increasingly precarious IoT supply chain.

While the modern-day Internet supports considerable security controls such as encryption, identification, and authentication, this was not always the case. Concerns regarding cybersecurity were largely absent during the initial development and deployment of the early Internet. As a result, many of today's commonly used security solutions have been designed and applied piecemeal. So it's no surprise that several newly discovered flaws in the underlying network stack infrastructure, unknown and unpatched since the late 1990s, have recently been discovered. The implications of such vulnerabilities can prove catastrophic for the perpetually growing IoT landscape.

An Israel cybersecurity company named JSOF has managed to uncover a series of zero-day vulnerabilities in an old TCP/IP software library. Vulnerabilities that exist, but are unknown to the affected product vendor, are commonly referred to as zero-day vulnerabilities. The nature of these flaws mean they are exploitable until the vulnerable systems are patched by the vendor. However, even if a patch is released, many updates (especially on older components) cannot be automatically executed, and require human interaction to install. As a result, zero-day vulnerabilities simultaneously pose the greatest threats to information security, while being viewed as the most sought-after prize for cybercriminals to attain and share.

In total, JSOF discovered 19 of these vulnerabilities, but named the batch of flaws Ripple20 to illustrate the "ripple effect" these security defects will have on connected devices for years to come. The specific flaws themselves were determined to have spawned from a Cincinnati-based organization named Treck Inc. Treck was responsible for developing a high-performance TCP/IP protocol suite for use in embedded systems by connected device manufacturers.

As a result of the suite’s popularity, the vulnerabilities were able to infiltrate the global markets unnoticed through the supply chain itself. For instance, JSOF determined that a joint collaboration between Treck and a firm named Elmic Systems, allowed the vulnerabilities to also propagate into the Japanese market more than 20 years ago.

When it comes to understanding the software flaws themselves, knowledge of two primary components of the vulnerability ecosystem are essential. These include the Common Weakness Enumeration (CWE) values, and the Common Vulnerability Scoring System (CVSS) values. While there many independent variables that dictate the overall classification of these values for each vulnerability in question, the CWE serves as a common language for describing the nature of the vulnerabilities themselves, while the CVSS scores provide a universal yardstick for measuring their overall severity.

With regard to the Ripple20 vulnerabilities, three of the most common CWE values are CWE-20, CWE-125, and CWE-200. CWE-20 impacts the ability of the system to effectively validate user input, potentially allowing an adversary to execute malicious code. A CWE-125 flaw could grant an adversary the ability to read memory outside the intended buffer. Lastly, a CWE-200 vulnerability could result in the potential exposure of sensitive information. Additionally, CVSS scores reflect not only the criticality of the flaw, but also the degree of knowledge required to exploit the flaw. Unfortunately, four of the Ripple20 flaws have a CVSS score of 9/10 or higher, meaning they can be weaponized for devastating impact without requiring considerable expertise from the attacker.

While JSOF has provided recommendations to help mitigate the risks of Ripple20, the overall reach and scope of the flaws have significant market implications. Adding greater complexity to this specific challenge is the age of the vulnerable infrastructure itself, as these zero-day vulnerabilities have managed to permeate into millions of products from over 100 vendors. Components utilizing the vulnerable network stack library have been discovered in industrial environments, healthcare, consumer, retail, utilities, aviation, enterprise, transportation, and even national security sectors.

The resulting impact of a successfully exploited Ripple20 vulnerability can take many forms. If the flaws were exploited properly, an attacker could gain total control over an internal network device, from outside the network perimeter through the internet facing gateway. If multiple vulnerable devices were discovered, an adversary could potentially broaden their attack to target all unpatched components simultaneously. Lastly, a vulnerable device could allow an attacker to exploit a vulnerable component for years, without ever being noticed. Depending on the type of device, the consequences of these attacks can range from annoying to potentially life threatening.

It should be noted that while Treck was quick to update its TCP/IP stack to a version that addresses these vulnerabilities, that was the easier part of the security fix. Unfortunately, even after being notified that their products are affected, installing the patch has proven difficult for many vendors. Furthermore, this remediation effort can prove impossible for vulnerable components still in use, but whose vendors are no longer in business after 20 years.

The effort of tracking down all vulnerable components and systems, through a supply chain spanning two decades, will remain a considerable forensic challenge in the coming years. And this represents just one series of flaws. When combined with similar vulnerabilities that have already been discovered, and those that have yet to be uncovered, the fragile state of the IoT supply chain becomes clear. Without a more concerted effort to improve IoT and network device security, throughout the entire lifecycle from development to deployment and through to retirement, the IoT landscape will remain nearly impossible to secure.

Related Content:

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Tanner Johnson is a cybersecurity analyst focused on IoT and transformative technologies at Omdia. His coverage is focused on examining the various threats that occupy the IoT technology domain, as well as opportunities and strategies that are emerging as data connectivity ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...