Security experts have warned for years that the drive to connect every device imaginable to the internet would offer a bonanza for hackers. Now researchers have found that one chunk of software designed to enable those internet connections is itself riddled with hackable vulnerabilities. As a result, security flaws have ended up in hundreds of millions of gadgets across the globe, from medical devices to printers to power grid and railway equipment.
Israeli security firm JSOF revealed on Tuesday a collection of vulnerabilities it's calling Ripple20, a total of 19 hackable bugs it has identified in code sold by a little known Ohio-based software company called Treck, a provider of software used in internet-of-things devices. JSOF's researchers found one bug-ridden part of Treck's code, built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet, in the devices of more than 10 manufacturers, from HP and Intel to Rockwell Automation, Caterpillar, and Schneider Electric. And JSOF believes it's likely in dozens of others. The result, the researchers say, is the better part of a billion hackable devices in the wild that have likely been vulnerable for years, and will need to be patched to protect them from a broad array of attacks.
Several of those Ripple20 attacks, named for the way the bugs "rippled" out from a single company and the year 2020, would allow any hacker who can connect to a target device—over the internet or a local network—to paralyze it or force it to run any malicious code they choose. The affected devices range from power supply systems in data centers to the programmable logic controllers used in power grids and manufacturing to medical infusion pumps.
JSOF says it discovered the Treck vulnerability while doing a security analysis of a single device last fall, and found that its TCP-IP stack contained hackable vulnerabilities. The firm soon realized that the code wasn't written by the device's manufacturer, but rather came from Treck—and that meant the bugs weren't in a single device, but everywhere, underscoring how widely IoT flaws can propagate. "Not that many people have heard of this company, but they are a leading provider of TCP-IP stacks, so they're at the beginning of a really complex supply chain," says JSOF CEO Shlomi Oberman. "The vulnerabilities in the stack got amplified by the ripple effect of the supply chain, so that they exist in pretty much any type of connected device I can think of."
Of the 19 bugs JSOF has revealed, a handful are particularly serious, allowing hackers to run their own commands on a target device—what's known as remote code execution—or for sensitive information to leak. "An attacker can take complete control of any of the affected devices," says Oberman. "It just depends on the device and your imagination."
An advisory from the Cybersecurity and Infrastructure Security Agency published Tuesday rates six of the 19 bugs between 7 and 10 on the CVSS score, where 10 represents the most severe vulnerability. Two of the bugs scored a 10 out of 10. In its advisory, CISA "recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities," such as protecting vulnerable devices with firewalls and removing any connections to the public internet.
JSOF says it's contacted every vendor of affected devices that it has confirmed are affected, starting in February of this year, and many of the companies have released software updates. But internet-of-things devices, especially those in industrial settings with little downtime, often go unpatched for years. "It’s pretty safe to assume some of these devices can’t be updated, or some of the companies have ceased operations," says JSOF Shlomi Oberman. He adds that it may take months or even a year longer to identify the full spectrum of companies and devices that include the buggy code. "This is maybe just the beginning of the end of the story," Oberman says.
Exactly how many of the devices that include Ripple20 bugs are directly hackable via the internet remains far from clear, says Jatin Kataria, the principal research scientist of Red Balloon Security, who reviewed JSOF's findings. He said he used Shodan, the search engine for internet-connected devices, to search for devices vulnerable to Ripple20 and found only some thousands that appeared to be exposed on the internet. (JSOF says its own Shodan searches have exposed more than 100,000, by contrast.) But Kataria says that a more practical threat may be sophisticated hackers who find another way into networks and only then hack Ripple20-vulnerable devices as a second step. "To reach these devices, that’s a different question," says Kataria, but "if the attacker has access to these devices, it’s pretty bad."
Once an attacker does get inside the firewall and obtains the ability to connect to the vulnerable devices, the bugs would allow hackers to paralyze target devices or take control of them—a disturbing scenario in the case of the power utilities, railway, manufacturing, and medical environments that use some of the affected equipment, Kataria says. As troubling as the potential for sabotage may be, Kataria argues that a more likely possibility would be exploiting the vulnerabilities for espionage, hiding malware in devices in a way that offers a foothold for spies and escapes all detection by network defenders. "If you can get into the network, this is the perfect thing for persistence," Kataria says.
"We’ve recently been made aware of an independent security researcher’s work that resulted in the reporting of a group of vulnerabilities, of which Treck acted upon immediately," Treck said in a statement. "Treck has fixed all issues that were reported and made them available to our customers either through our newest code release, or patches." Embedded device firm Digi uses Treck's TCP-IP stack in its widely used hardware and software; information security officer Donald Schleede says the company couldn't replicate some of the attacks JSOF describes—and argues that the attacks would have to be customized for each vulnerable device. "It's very device-dependent and very firmware-version-dependent," Schleede says, noting that the company released fixes for vulnerable products in April. "Even though we couldn’t replicate it, we moved forward. We knew that a code review needed to happen."
Intel, too, responded in a statement that it had fixed four of the vulnerabilities in an update earlier this month, and it claimed that the bugs "require a nonstandard configuration for systems to be vulnerable" and "at this time, Intel is not aware of any customers using this configuration." HP responded that "we constantly monitor the security landscape and value work that helps us identify new potential threats," referring to patches for the Ripple20 vulnerabilities available here.
The prevalence of so many bugs across hundreds of millions of gadgets for years shows just how messy the interdependent security ecosystem for the internet of things remains, says Red Balloon's Kataria. The insecure coding practices that made the Ripple20 bugs exploitable, he argues, would have been caught by the sort of vulnerability analysis that's required for code to meet the standards recommended by the US Computer Emergency Response Team and is required by the Department of Defense, for instance—a kind of analysis that appears not to have taken place for any of the numerous products that used Treck's TCP-IP stack.
"All these problems show that they haven't passed any kind of standardization, they haven't followed any rules or safe coding guidelines," says Kataria. "This is a problem for the whole industry, and it's something that needs to be fixed."