Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

Ripple20 Bug Exposes Millions of IoT Devices

Written by  Jun 16, 2020

Exactly how many of the devices that include Ripple20 bugs are directly hackable via the internet remains far from clear, says Jatin Kataria, the chief research scientist of Red Balloon Security, who reviewed JSOF's findings.

He said he used Shodan, the search engine for internet-connected devices, to search for devices vulnerable to Ripple20, and found only some thousands that appeared to be exposed on the internet. (JSOF says its own Shodan searches have exposed more than 100,000, by contrast.) But Kataria says that a more practical threat may be sophisticated hackers who find another way into networks and only then hack Ripple20-vulnerable devices as a second step. "To reach these devices, that’s a different question," says Kataria, but "if the attacker has access to these devices, it’s pretty bad."

Once an attacker does get inside the firewall and obtains the ability to connect to the vulnerable devices, the bugs would allow hackers to paralyze target devices or take control of them—a disturbing scenario in the case of the power utilities, railway, manufacturing, and medical environments that use some of the affected equipment, Kataria says. As troubling as the potential for sabotage may be, Kataria argues a more likely possibility would be exploiting the vulnerabilities for espionage, hiding malware in devices that offers a foothold for spies and escapes all detection by network defenders. "If you can get into the network, this is the perfect thing for persistence," Kataria says.


"We’ve recently been made aware of an independent security researcher’s work that resulted in the reporting of a group of vulnerabilities, of which Treck acted upon immediately," Treck said in a statement. "Treck has fixed all issues that were reported and made them available to our customers either through our newest code release, or patches." Embedded device firm Digi uses Treck's TCP-IP stack in its widely used hardware and software; information security officer Donald Schleede says the company couldn't replicate some of the attacks JSOF describes—and argues that the attacks would have to be customized for each vulnerable device. "It's very device dependent and very firmware version dependent," Schleede says, noting that the company released fixes for vulnerable products in April. "Even though we couldn’t replicate it we moved forward. We knew that a code review needed to happen."

Intel, too, responded in a statement that it had fixed four of the vulnerabilities in an update earlier this month, and claimed that the bugs "require a non-standard configuration for systems to be vulnerable" and "at this time, Intel is not aware of any customers using this configuration." HP responded that "we constantly monitor the security landscape and value work that helps us identify new potential threats," referring to patches for the Ripple20 vulnerabilities available here.

The prevalence of so many bugs across hundreds of millions of gadgets for years shows just how messy the interdependent security ecosystem for the internet of things remains, says Red Balloon's Kataria. The insecure coding practices that made the Ripple20 bugs exploitable, he argues, would have been caught by the sort of vulnerability analysis that's required for code to meet the standards recommended by the US Computer Emergency Response Team and is required by the Department of Defense, for instance—a kind of analysis that appears not to have taken place for any of the numerous products that used Treck's TCP-IP stack.

"All these problems show that they haven't passed any kind of standardization, they haven't followed any rules or safe coding guidelines," says Kataria. "This is a problem for the whole industry, and something that needs to be fixed."

Peter Flynn

Creator and director of IT Security Centre UK.

I have worked in the IT industry for many years and developed my IT security skills in particular. As this area has always been of interest to me and is more important now than ever.


Popular in IoT

Jun 16, 2020 Internet of Things

Ripple20 Bug Exposes Millions of IoT Devices

Exactly how many of the devices that include Ripple20 bugs are directly hackable via the internet remains far from clear...

Jun 08, 2020 Internet of Things

Why Cybersecurity is important for IoT?

IoT encompasses any device that is able to connect with the internet and transmit data.

May 30, 2020 Internet of Things

UK Government plans to boost security of consumer smart devices

The UK government has launched a £400,000 funding pot for innovators to design schemes to boost the security of interne...

Mar 06, 2020 Internet of Things

Most Businesses Already Use IoT Platforms Despite Cyber Security Risks

The use of Internet of Things platforms in business is increasing, in spite of the very real cybersecurity risks. ...

Symantec Home 120x60