'Ripple20' Bugs Impact Hundreds of Millions of Connected Devices:
A series of 19 different vulnerabilities, four of them critical, are affecting hundreds of millions of internet of things (IoT) and industrial-control devices.
The issue is based in the supply chain and code reuse, with the bugs affecting a TCP/IP software library developed by Treck that many manufacturers use. Researchers at JSOF uncovered the faulty part of Treck's code, which is built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet, in the devices of more than 10 different manufacturers—and it's likely present in dozens more.
Affected hardware includes everything from connected printers to medical infusion pumps and industrial-control gear, according to researchers at JSOF's research lab. Treck users include "one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries," according to the research.
"The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain 'ripple-effect,'" researchers said in a posting on Tuesday. "A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies and people."
The flaws, dubbed Ripple20, include four remote code-execution vulnerabilities. If properly exploited, data could be stolen off of a printer, a medical device's behavior could be tampered with, or industrial control devices could be made to malfunction.
"An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks," according to JSOF.
(Score: 3, Informative) by SomeGuy on Wednesday July 01 2020, @08:52PM (4 children)
Here is a quick fix for your IoT device:
1: Remove your IoT device.
2: Smash it with a sledge hammer.
3: Do NOT buy another IoT device.
That third step is rather important.
This also works awesomely for smart phones and anything with blue LEDs.
(Score: 1, Funny) by Anonymous Coward on Wednesday July 01 2020, @10:54PM (3 children)
Also works for Confederate statues!
(Score: 0) by Anonymous Coward on Wednesday July 01 2020, @11:58PM (2 children)
Those who ignore history are forced to repeat it... could it be SJWs secretly want to be slave owners?
(Score: 1, Insightful) by Anonymous Coward on Thursday July 02 2020, @01:23AM (1 child)
Nobody wants slavery back, not even cotton farmers. Minimum wage is a way better deal for the wealthy.
(Score: 2) by The Vocal Minority on Friday July 03 2020, @02:45AM
So slavery never went away, it just changed to wage slavery?