Stories
Slash Boxes
Comments

SoylentNews is people

'Ripple20' Bugs Impact Hundreds of Millions of Connected Devices

posted by Fnord666 on Wednesday July 01 2020, @06:44PM   Printer-friendly
from the ripple-effect dept.

upstart writes in with an IRC submission:

'Ripple20' Bugs Impact Hundreds of Millions of Connected Devices:

A series of 19 different vulnerabilities, four of them critical, are affecting hundreds of millions of internet of things (IoT) and industrial-control devices.

The issue is based in the supply chain and code reuse, with the bugs affecting a TCP/IP software library developed by Treck that many manufacturers use. Researchers at JSOF uncovered the faulty part of Treck's code, which is built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet, in the devices of more than 10 different manufacturers—and it's likely present in dozens more.

Affected hardware includes everything from connected printers to medical infusion pumps and industrial-control gear, according to researchers at JSOF's research lab. Treck users include "one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries," according to the research.

"The wide-spread dissemination of the software library (and its internal vulnerabilities) was a natural consequence of the supply chain 'ripple-effect,'" researchers said in a posting on Tuesday. "A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies and people."

The flaws, dubbed Ripple20, include four remote code-execution vulnerabilities. If properly exploited, data could be stolen off of a printer, a medical device's behavior could be tampered with, or industrial control devices could be made to malfunction.

"An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks," according to JSOF.

Original Submission

 
This discussion has been archived. No new comments can be posted.
'Ripple20' Bugs Impact Hundreds of Millions of Connected Devices | Log In/Create an Account | Top | 16 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 1, Touché) by Anonymous Coward on Wednesday July 01 2020, @07:00PM (5 children)

    by Anonymous Coward on Wednesday July 01 2020, @07:00PM (#1015116)

    Connect your refrigerator to the internet and don't forget to go cashless.

    • (Score: 0) by Anonymous Coward on Wednesday July 01 2020, @08:55PM (1 child)

      by Anonymous Coward on Wednesday July 01 2020, @08:55PM (#1015145)

      Don't forget to download our FREE news/streaming/spyware/advertising app on to your refrigerator!

      • (Score: 0) by Anonymous Coward on Wednesday July 01 2020, @09:46PM

        by Anonymous Coward on Wednesday July 01 2020, @09:46PM (#1015165)

        Don't worry it'll be done for you.

    • (Score: 2) by knarf on Wednesday July 01 2020, @09:23PM

      by knarf (2042) on Wednesday July 01 2020, @09:23PM (#1015156)

      Cashless or crashless, choose one...

    • (Score: 0) by Anonymous Coward on Wednesday July 01 2020, @09:27PM (1 child)

      by Anonymous Coward on Wednesday July 01 2020, @09:27PM (#1015158)

      Connect your refrigerator to the internet and don't forget to go cashless.

      What does one have to do with the other? Is having a WiFi connected fridge same as having a bank account now?

      • (Score: 3, Interesting) by Runaway1956 on Wednesday July 01 2020, @10:14PM

        by Runaway1956 (2926) on Wednesday July 01 2020, @10:14PM (#1015173) Homepage Journal

        Kinda sorta in a roundabout way.

        Someone will sell you a service, to keep your fridge stocked. The fridge will report to the vendor that your milk is almost empty and/or 2 days past expiration. That vendor will make sure the milk is replaced before you chug the chunky stuff down, and the chunks hang on your tonsils.

        Oh - the cashless bit? Your vendor won't accept cash. He will need access to you credit/debit card information.

        --
        Abortion is the number one killed of children in the United States.

  • (Score: 0) by Anonymous Coward on Wednesday July 01 2020, @07:36PM

    by Anonymous Coward on Wednesday July 01 2020, @07:36PM (#1015125)

    Does a manufacturer shit in the IoT devices?

  • (Score: 3, Informative) by SomeGuy on Wednesday July 01 2020, @08:52PM (4 children)

    by SomeGuy (5632) on Wednesday July 01 2020, @08:52PM (#1015143)

    Here is a quick fix for your IoT device:

    1: Remove your IoT device.
    2: Smash it with a sledge hammer.
    3: Do NOT buy another IoT device.

    That third step is rather important.

    This also works awesomely for smart phones and anything with blue LEDs.

    • (Score: 1, Funny) by Anonymous Coward on Wednesday July 01 2020, @10:54PM (3 children)

      by Anonymous Coward on Wednesday July 01 2020, @10:54PM (#1015183)

      Also works for Confederate statues!

      • (Score: 0) by Anonymous Coward on Wednesday July 01 2020, @11:58PM (2 children)

        by Anonymous Coward on Wednesday July 01 2020, @11:58PM (#1015205)

        Those who ignore history are forced to repeat it... could it be SJWs secretly want to be slave owners?

        • (Score: 1, Insightful) by Anonymous Coward on Thursday July 02 2020, @01:23AM (1 child)

          by Anonymous Coward on Thursday July 02 2020, @01:23AM (#1015232)

          Nobody wants slavery back, not even cotton farmers. Minimum wage is a way better deal for the wealthy.

  • (Score: 2) by Mojibake Tengu on Wednesday July 01 2020, @10:12PM (2 children)

    by Mojibake Tengu (8598) on Wednesday July 01 2020, @10:12PM (#1015171) Journal

    https://treck.com/products/ [treck.com]
    https://treck.com/vulnerability-response-information/ [treck.com]

    No vulnerabilities publicly reported ever before this 19-pcs batch incident. For 23 years.
    Technically, I'd call that business an embedded backdoor house.

    Now, the most important question: Who's the man?

    --
    The edge of 太玄 cannot be defined, for it is beyond every aspect of design

    • (Score: 0) by Anonymous Coward on Wednesday July 01 2020, @11:58PM

      by Anonymous Coward on Wednesday July 01 2020, @11:58PM (#1015204)

      "No vulnerabilities publicly reported ever before this 19-pcs batch incident. For 23 years.
      Technically, I'd call that business an embedded backdoor house."

      Least nefarious possible sequence:

      They create a sort of ok stack and got some market traction in embedded devices. (Not sure why folks didn't choose something open? Maybe a GPL contamination issue?)
      Bad guys (some with 3 letter hats) were happy that they could own so many diverse things.
      An amazing 23 years elapsed...
      Security folks found and (Sigh) published these holes.
      Since cat was out of bag, marketing suggested that a burst of 'we fixed it' was in order.

      Lesson: Spending good cash for a stack with a pedigree is not security.

    • (Score: 2) by driverless on Thursday July 02 2020, @01:18AM

      by driverless (4770) on Thursday July 02 2020, @01:18AM (#1015229)

      Despite the attention-grabbing headlines, Treck isn't a very big player in the embedded space, you either get RTOSes with their own stacks, e.g. VxWorks, or more widely-used stacks like LWIP. I think I've only seen Treck used as part of Quadros.

      The real threat in the IoT space is the fact that you're running a 2.6.x kernel (frighteningly popular still) with Apache 2.0 and a bunch of PHP or Perl scripts hacked together by an intern at 3am.

  • (Score: 2) by knarf on Wednesday July 01 2020, @11:22PM

    by knarf (2042) on Wednesday July 01 2020, @11:22PM (#1015196)

    In both German and Dutch and most likely some other Germanic languages the name of this company sounds filthy.

    Yes, literally, more or less. Dreck in German, drek in Dutch, both words which mean 'filth, mud, dung¸dirt, excrement, droppings' and more of the same.

    A good name for this backdoor facilitator I'd say.

(1)