You are here

Ripple20 Vulnerabilities Expected to Have Long Term Impacts on IoT Landscape

Ripple20 Vulnerabilities Expected to Have Long Term Impacts on IoT Landscape

Created: Thursday, June 18, 2020 - 14:24
Categories:
Cybersecurity

Earlier this week cybersecurity experts revealed 19 vulnerabilities in a small library developed by software company Treck that has been widely used and integrated into many enterprise and consumer-grade products over the last 20+ years. The number of impacted products is estimated at "hundreds of millions" and includes products such as smart home devices, power grid equipment, healthcare systems, industrial gear, transportation systems, printers, routers, mobile/satellite communications equipment, data center devices, commercial aircraft devices, various enterprise solutions, and many others. Experts fear that all products using this library will most likely remain unpatched due to complex or untracked software supply chains. Since September 2019, researchers from JSOF, a small boutique cyber consultancy firm located in Jerusalem, Israel, have been looking at Treck's TCP/IP stack, due to its broad footprint across the industrial, healthcare, and smart device market. Their work unearthed serious vulnerabilities, and the JSOF team has been working with CERT (computer emergency response teams) in different countries to coordinate the vulnerability disclosure and patching process. But JSOF said the work on identifying all the vulnerable devices is not yet done. The researchers said they named the 19 vulnerabilities as Ripple20 not because they were 20 vulnerabilities in the beginning, but because of the ripple effect they'll cause in the IoT landscape in 2020, and the years to come. The impact of the Ripple20 vulnerabilities is currently expected to be the same as the Urgent/11 vulnerabilities that were disclosed in July 2019, and which are still being investigated to this day, and new vulnerable devices are being found and patched on a regular basis. Just like in the case of Urgent/11, some products will remained unpatched, as some have gone end-of-life, or the vendors have shut down operations in the meantime. Read the articles at ZDNet and Forescout.