Ripple20 puts TCP-IP and the internet at risk. We’re talking about hundreds of millions of IoT devices, potentially more. And not only that. Data centers, power grids, and who knows what else. Ripple20 is so far reaching that experts can’t measure the implications.
It all started on June 16 when a group of cyber-security experts unveiled a pernicious set of bugs in a small library designed in the 90s by Treck, an Ohio-based IoT software provider. Treck’s library has been widely used into countless of hardware and software products in the last 20 years. The Israeli firm behind the discovery, JSOF, revealed 19 hackable bugs in the library. The set of bugs, codenamed Ripple20, enables hacker to perform remote code execution and leak sensitive information.
JSOF had been looking into Treck’s TCP/IP stack since September 2019 before discovering the vulnerabilities in their code. It all happened during a security analysis of a single device last fall. As a matter of fact, the producer of the device had no responsibility, as the bugged code dated back to Treck.
According to JSOF’s researchers, the issues lies in Treck’s code that handles TCP-IP, the foundational protocol of the internet. Experts estimate that infected products include smart home devices, power grid equipment, healthcare systems, industrial gear, transportation systems, printers, routers, mobile/satellite communications equipment, data center devices, commercial aircraft devices, various enterprise solutions, and many others.
Most of the software with dependencies on Treck’s library will most likely remain unpatched due to supply chain complexity. Problems arise from the fact that not only equipment vendors integrated Treck’s library, but also software suites of all kind. As a consequence, many companies are now using Treck’s library without even knowing. The library, after all, dates back to 1997. Enterprises of all size have been using it for decades as a foundational layer in their software stack. However, the JSOF team has been working with CERT in various countries to coordinate the difficult patching process.
For more news about cyber-security, check what UK is doing to fight cyber-crime