IoT Ripples and Crumbles … Again

IoT Ripples and Crumbles … Again

Just when it seems that IoT security could not get any lower, the Department of Homeland Security and CISA ICS-CERT has issued 19 vulnerabilities affecting more than 500 vendors and which will have a significant effect on billions of devices. These vulnerabilities have been defined as Ripple20 and where found by JSOF (and Isralli cybersecurity company). The name Ripple20 comes from the year (2020) and the ripple effect from a single company.

JSOF found the vulnerbility when they recently tested a device, and found some major vulnerabilities, and then traced it to software written by Trek. Trek is company who focus on createing the network stack for many IoT products. Of the vulnerabilties found, JSOF found that some of them allowed for remote access to a device, and without any user interaction [here]:

Five of the vulnerabilities gain a CVSS of 9 and above:

• CVE-2020–11896 (CVSS v3 base score 10.0): This involves incorrect handling of the length of a UDP packet, and allowing for remote code execution.
• CVE-2020–11897 (CVSS v3 base score 10.0): This involves incorrect handling of IPv6 packets, and can creates an out-of-bounds write.
• CVE-2020–11898 (CVSS v3 base score 9.8): This involves incorrect handling of the length of a ICMP packet, and allowing for remote code execution.
• CVE-2020–11899 (CVSS v3 base score 9.8): This involves incorrect validaiton of IPv6 paclages, and can expose sensitive data.
• CVE-2020–11900 (CVSS v3 base score of 9.3): This involves incorrect tunnel of IPv4, and could support remote code execution.
• CVE-2020–11901 (CVSS v3 base score 9.0): This involves incorrect DNS resolving and may result in remote code execution.

The vendors definitately affected include HP, Intel and Rockwell Automation, but others such as Cisco, Honeywell and BAE Systems are still to report on whether their devices are vulnerable. While vendors should report their vulnerabilities within 90 days, COVID-19 disruptions have provided a consession on the report, and where the reporting period has been extended to 120 days.

Vendors should patch for the Treck TCP/IP stack version of 6.0.1.67 and higher. The greatest worry is that many IoT devices do not have any mechanism to update them, and thus devices within health care and within cricitical national infrastructures could be left unpatched. JSOF has used Shodan searches to identify at least 100,000 Internet enabled devices that are directly connect to the Internet, but there are likely to be billions of vulnerable devices behind firewalls that could be affected.

Conclusions

We need security by design, and not as an afterthought.