19 critical errors in a widespread TCP/IP implementation with potentially fatal consequences: With modified IP packets, arbitrary commands can be executed on IoT devices and critical data can be read out.[1] The responsible ICS-CERT rightfully rates some of these vulnerabilities with the maximum severity of 10 on the CVSSv3 scale. [2]

“Ripple20.” Millions of devices are vulnerable

Smart homes and smart cities, sockets, routers, as well as medical equipment, sensors and critical control or transport systems such as aircraft or satellites are equipped with a TCP/IP stack and an Internet connection. Small standard modules are processed. The vulnerable TCP/IP stack from the company Treck is optimized for embedded devices and is used by well-known companies like Baxter, Intel, Schneider Electric, HP and Rockwell Automation. Many of the security gaps that have now been discovered, collectively referred to as “Ripple20”, are due to the fact that length restrictions of individual fields are ignored. Attackers can thus infiltrate and execute code, but also read critical data. Millions of devices are affected worldwide.

The manufacturer has fixed the flaws discovered by security researchers from JSOF in an update to version 6.0.1.67. However, it is unclear how the update will affect the vulnerable devices – many are simply not designed to update. The question of how users can tell whether their system is vulnerable or which software version is used on it also remains open.

“First aid”: measures at network level

“Ripple20 is possibly one of the most fatal security holes ever,” says Benjamin Paar, Senior System Engineer for OT/IoT Security at IKARUS: “Errors of this kind can be avoided if security-critical considerations are part of every development process from the very beginning – no matter how unlikely it may seem at first glance that an attack could ever occur here. It is definitely time for a rethink, away from fast and cheap to sustainable and secure. Every system that can be connected to Internet should have a secure and reliable update option. Otherwise, I would not consider it secure.”

As a safeguard against “Ripple20”, it is recommended to implement measures at the network level to block suspicious IP packets and source routing.[3] “Especially in the area of industrial plants, visibility is therefore the first step to be able to identify and counteract potential sources of danger”, says Christian Fritz, COO at IKARUS: “With an overview of all devices and systems, targeted measures can be taken on the basis of qualified alerts”. IKARUS technology partner Nozomi Networks anticipates that there will be further vulnerabilities in this context – not all affected companies and products are known yet. “Based on the information published so far, it can be said that advanced skills are required to exploit the discovered vulnerabilities,” says Benjamin Paar: “So far, we have no indications that attacks have already occurred or are underway.” So, this is a game of time – and now is the perfect time to find out about optimal protection measures.

Read more: IKARUS managed.defense: Transparency and Security in IT, OT and IoT environments

[1] https://www.jsof-tech.com/ripple20/

[2] https://www.us-cert.gov/ics/advisories/icsa-20-168-01

[3] https://github.com/CERTCC/PoC-Exploits/blob/master/vu-257161/recommendations.md