Millions of IoT Medical Devices Impacted by Ripple20 Vulnerabilities
Researchers discovered 19 vulnerabilities called Ripple20 impacting the TCP/IP communication stack found in hundreds of millions of connected devices, including IoT medical tech.
By - Hundreds of millions of connected devices, including IoT medical devices, are impacted by a group of 19 vulnerabilities known as Ripple20, found in the devices’ TCP/IP communication stack, according to research from JSOF.
For the healthcare sector, these vulnerabilities add to a host of other risks plaguing its medical devices: legacy systems and patch management.
The Department of Homeland Security followed the report with an alert to these vulnerabilities, providing details into potential exploits. Officials warned that a remote hacker could exploit some of these vulnerabilities to take control of an affected system.
The flaws are found in the widely used low-level TCP/IP software library developed by Treck and include multiple remote code execution vulnerabilities. Treck is a developer of low-level network protocols for embedded devices, based in Ohio.
The majority of these flaws are caused by memory management bugs, while “historically related KASAGO TCP/IP middleware from Zuken Elmic (formerly Elmic Systems) is also affected by some of these vulnerabilities.”
These high risk vulnerabilities could allow an attacker to perform a host of malicious activities, such as stealing data, impacting the functionality of an infusion pump, or causing a device to malfunction.
Of these flaws, four are ranked as critical, two are listed at the highest severity level and two are ranked as 9.0 out of 10. One flaw could cause an information leak and is ranked as 9.1 in severity.
Further, an exploit could allow a hacker to gain access from outside of the network. The report shows that the vulnerabilities are found in critical IoT devices from a wide range of sectors, including Schneider Electric, Intel, Rockwell Automation, and internal vendors supporting medical and enterprise industries, among others.
Overall, a majority of sectors could be impacted by these device flaws, including the government and national security sectors. The full impact of these flaws is hard to calculate given some of the impacted vendors also distribute software based on Treck’s design.
“The interesting thing about Ripple20 is the incredible extent of its impact, magnified by the supply chain factor,” researchers explained. “The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain “‘ripple-effect.’”
“A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people,” they added.
All of Treck’s customers have been notified of the flaw, while the company did release patches for the list of flaws discovered by JSOF. But given the spread of the impacted software, it’s likely these flaws will persist -- with some remaining unpatched -- for the foreseeable future.
According to the DHS alert, more than 24 companies show an “unknown” status for its Ripple20 flaws. JSOF’s report shows more than 60 vendors have a “pending” status for these vulnerabilities.
Some vendors have released their own mitigations for the vulnerabilities, including those with medical devices, like Schneider Electric and Rockwell.
DHS also provided recommended mitigations to reduce the risk posed by Ripple20. In addition to performing a proper impact analysis and risk assessment and prior to employing other defensive measures, organizations should minimize network exposure for all control system devices and or systems and make sure they’re not accessible to the internet.
IT administrators should locate control system networks and remote devices behind firewalls, while isolating them from the enterprise network. If remote access is required, secure methods should be leveraged for access, such as the use of a Virtual Private Network (VPN).
DHS reminded administrators that VPNs also have vulnerabilities, so it’s imperative the access points are updated to the latest software version.
“Also recognize that VPN is only as secure as the connected devices,” DHS officials warned. “Use an internal DNS server that performs DNS-over-HTTPS for lookups.”
“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents,” they concluded. “High skill level is needed to exploit. No known public exploits specifically target these vulnerabilities.”
