Critical security flaws found in millions of IoT devices
Security researchers have discovered 19 critical vulnerabilities in a little known software library that is nevertheless used in hundreds of millions of connected devices, including some that could allow for remote code execution.
The vulnerabilities in TCP/IP code from Cincinnati-based Treck were discovered by Israel's JSOF, which has published a report detailing its findings. JSOF has collectively named the vulnerabilities Ripple20.
Risk scenarios include external attackers taking over devices within the network, targeting specific devices within compromised networks, broadcasting attacks capable of taking over all affected devices simultaneously, and launching attacks from outside network boundaries.
"In all scenarios, an attacker can gain complete control over the targeted device remotely, with no user interaction required," the report states.
The code is used in a wide range of IoT devices, from medical devices to office printers and aviation systems. Devices are also in use in power grids, oil and gas platforms, transport networks and even in government.
"The risks inherent in this situation are high. Just a few examples: data could be stolen off of a printer, an infusion pump behaviour changed, or industrial control devices could be made to malfunction," JSOF said in its report.
"An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks."
JSOF named the vulnerabilities Ripple20 because of the wide range of devices that are potentially vulnerable. The company said widespread dissemination of the vulnerable software library was a natural consequence of the supply chain “ripple-effect”, whereby a single vulnerable component can ripple outward to impact a wide range of industries, applications, companies and people.
JSOF first discovered the vulnerabilities late last year, and has gone public on a date agreed to with Treck. The companies have been working together to inform clients of the vulnerabilities and seek to address the issues.
But Tenable Research Engineering Manager Scott Caveza said the vulnerabilities in potentially billions of devices may never be fully addressed.
"Since these vulnerabilities exist in a low-level TCP/IP stack used by dozens of vendors and devices, it's difficult to determine how many vendors will acknowledge, let alone release patches for affected devices," he said.
"Adding to the difficulty, many of these are IoT/SCADA devices, which may be difficult to patch or upgrade. At the time the report was released, eight vendors were confirmed to be affected, five were listed as not affected and an overwhelming 66 are still pending."
Caveza said the incident highlights a security concern that is too often overlooked — vendors re-using and repurposing common software libraries.
"This practice creates challenges when it comes to identifying and patching logic and security issues in code, as it becomes a vendor-specific issue," he said.
"A fix for one vulnerability might have multiple solutions from various vendors, and it's possible specific patch attempts could open up additional attack vectors if not properly implemented."
Palo Alto Networks has issued a critical security update for PAN-OS following the discovery of...
The federal government has announced a $1.35bn investment program aimed at enhancing...
Security experts warn that the major cyber attack targeting Australian government departments and...