'Hundreds of millions' of smart home devices and PCs can be hacked remotely

Hands type on a laptop keyboard.
(Image credit: smolaw/Shutterstock)

Millions of smart-home, networking and other so-called Internet of Things devices, including HP and Samsung printers and even the IT-management components on enterprise-grade PCs using Intel CPUs, are vulnerable to hacking over the internet -- and sadly, many of those devices may never be patched.

Researchers at Israeli cybersecurity firm JSOF discovered 19 separate vulnerabilities in a two-decade-old small TCP/IP stack — a networking-software code library — developed by U.S. company Treck, Inc. 

Collectively named "Ripple20," the flaws "affect hundreds of millions of devices (or more) and include multiple remote code execution vulnerabilities," JSOF explained on its website yesterday (June 16).

In plain English, that means attackers could reach out over the internet to install and run malware on zillions of devices. It's even easier if an attacker manages to get on the same local network as a targeted device.

"Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction," JSOF said. "An attacker could hide malicious code within embedded devices for years."

Video demonstration of Ripple20 flaws

In a video posted to YouTube, JSOF CEO Shlomi Oberman shows how a small miniboard computer could use the Ripple20 vulnerabilities to hack into an uninterruptible power supply (UPS) device. 

The UPS device is powering a medical infusion pump, an HP small office/home office printer and a lamp, so when the UPS shuts off, so do the other devices. 

The video states that brand names were obscured at the request of the vendors, but the UPS device appears to be an APC Smart-UPS C 1500 (made by Schneider Electric), and you can clearly see that the printer is an HP OfficeJet 8720.

Dozens of device makers potentially affected

Security advisories on the Ripple20 flaws were issued yesterday by the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency and the Computer Emergency Response Team (CERT) Coordination Center, both of which collaborated with JSOF on finding affected devices. 

The flawed TCP/IP stack exists, according to JSOF, in industrial, medical, smart-home, networking, enterprise and retail devices, as well as in embedded devices found in transportation, aviation, government and the energy industry.

Other security advisories came from the Japanese and Israeli governments' own CERTs, as well as from embedded-device makers Caterpillar, Rockwell Automation, Green Hills, B. Braun and Schneider Electric.

HP issued an advisory concerning Ripple20 flaws on about 90 different HP and Samsung-branded printers, and said it had updated firmware for most. Intel issued an advisory about Ripple20 flaws in its CSME, SPS, TXE, AMT, ISM and DAL computer-management software.

Devices made by more than five dozen other vendors, including Broadcom, Cisco, Dell, GE, Honeywell, Nvidia and Philips, may also be vulnerable. 

Owners of smart home devices can't do much (yet)

Looming in the background is the likelihood that this flawed TCP/IP stack, which dates back to 1997 and has since been forked into two development paths managed by different companies, is embedded deep in many devices without the knowledge of their manufacturers and users.

Most of the advice given is to device manufacturers and their industrial and enterprise clients, and basically consists of upgrading device firmware and software to include the latest version of Treck's TCP/IP stack

(Oberman told ZDNet that when his firm contacted Track about the flaws, Treck initially thought the notification was a shakedown attempt.)

Unfortunately, it's not clear what owners of smart-home devices and other consumer devices can do, except to install software and firmware updates from their devices' manufacturers if and when those updates come.

Flaws spread undetected for more than 20 years

The Ripple20 vulnerabilities are so widespread, JSOF said, because Treck's variation of the TCP/IP stack has been used by such a large number of embedded-device makers. 

"A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people," the JSOF report says. "Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations."

Unfortunately, it's not that easy to identify which devices are vulnerable to the Ripple20 flaws. JSOF said it "will be providing scripts for the identification of products running Treck upon request" and provides a contact email address at ripple20@jsof-tech.com, but it's not clear who will get to see the information.

The JSOF research team will be presenting more details during the Black Hat USA (virtual) security conference this August, but you can read a technical white paper on the Ripple20 flaws now.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.