A series of newly discovered vulnerabilities in “internet of things” devices opens the door to hackers to gain access to both consumer and enterprise devices.

That’s according to a new report by security researchers at JSOF. The vulnerabilities, dubbed Ripple20, total 19 and relate to the Treck TCP/IP stack, a TCP/IP protocol suite designed for embedded systems. The vulnerabilities range between critical and high-severity and can be exploited in several ways, including remote code execution, denial of service attacks and stealing data. Most can be exploited by sending IP packets or DNS requests to the targets.

“The risks inherent in this situation are high,” the researchers explain. “Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks.”

The researchers do not put a solid number on just how many IoT devices may be affected but at the very least the figure is likely in the hundreds of millions. Affected vendors are said to range from one-person boutique shops to Fortune 500 multinational corporations including HP Inc., Schneider Electric SE, Intel Corp., Rockwell Automation Inc., Caterpillar Inc. and Baxter International Inc. Other major international vendors suspected of being of vulnerable include companies in medical, transportation, industrial control, enterprise, energy, telecom, retail and commerce.

“This is a classic case of finding critical vulnerabilities in embedded IoT devices that were designed years ago and may now be impossible or impractical to patch,” Phil Neray, vice president of IoT and industrial cybersecurity at IoT security firm CyberX Inc., told SiliconANGLE. “The best strategy is to implement compensating controls such as network segmentation to make it harder for adversaries to connect to these devices, plus Network Traffic Analysis with Security Orchestration, Automation, and Response to quickly spot anomalous behavior — and stop it — before they cause a safety incident, shut down production or steal intellectual property.”

Ben Seri, vice president of research at agentless device security company Armis Inc., noted that a vulnerability in the TCP/IP stack can be dangerous for the low level of access it can give attackers.

“By now we know that most businesses are running a huge number of connected devices in the workplace,” Seri said. “If an attacker exploits Ripple20 on one connected device, it could have a significant impact on an entire business network. Ripple20 is an example of how IoT can be a roadmap for attackers looking to target businesses. Since many companies don’t know what kind of IoT devices sit within their environments or know how to protect them, attackers are starting to see IoT as an easy entry point for short term gains and long-term attack campaigns.”

Scott Caveza, research engineering manager at cybersecurity firm Tenable Inc., noted that the affected library exists in sensitive devices, such as those found in industrial control applications, medical devices, power grids, oil and gas and more.

“As concerning as these 19 vulnerabilities are, this report highlights an often overlooked security concern: vendors reusing and repurposing common software libraries,” he said. “This practice creates challenges when it comes to identifying and patching logic and security issues in code, as it becomes a vendor-specific issue. A fix for one vulnerability might have multiple solutions from various vendors, and it’s possible specific patch attempts could open up additional attack vectors if not properly implemented.”

Image: JSOF