Millions of smart-home, networking and other so-called Internet of Things devices, including HP and Samsung printers and even the IT-management components on enterprise-grade PCs using Intel CPUs, are vulnerable to hacking over the internet -- and sadly, many of those devices may never be patched.
Researchers at Israeli cybersecurity firm JSOF (opens in new tab) discovered 19 separate vulnerabilities in a two-decade-old small TCP/IP stack — a networking-software code library — developed by U.S. company Treck, Inc.
- The best smart-home devices for your 21st-century abode
- Smart TVs, fridges and light bulbs may stop working next year: Here's why
- New: Dozens of Netgear routers can easily be hacked — what to do right now
Collectively named "Ripple20," the flaws "affect hundreds of millions of devices (or more) and include multiple remote code execution vulnerabilities," JSOF explained on its website yesterday (June 16).
In plain English, that means attackers could reach out over the internet to install and run malware on zillions of devices. It's even easier if an attacker manages to get on the same local network as a targeted device.
"Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction," JSOF said. "An attacker could hide malicious code within embedded devices for years."
Video demonstration of Ripple20 flaws
In a video posted to YouTube, JSOF CEO Shlomi Oberman shows how a small miniboard computer could use the Ripple20 vulnerabilities to hack into an uninterruptible power supply (UPS) device.
The UPS device is powering a medical infusion pump, an HP small office/home office printer and a lamp, so when the UPS shuts off, so do the other devices.
The video states that brand names were obscured at the request of the vendors, but the UPS device appears to be an APC Smart-UPS C 1500 (made by Schneider Electric), and you can clearly see that the printer is an HP OfficeJet 8720.
Dozens of device makers potentially affected
Security advisories on the Ripple20 flaws were issued yesterday by the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (opens in new tab) and the Computer Emergency Response Team (CERT) Coordination Center (opens in new tab), both of which collaborated with JSOF on finding affected devices.
The flawed TCP/IP stack exists, according to JSOF, in industrial, medical, smart-home, networking, enterprise and retail devices, as well as in embedded devices found in transportation, aviation, government and the energy industry.
Other security advisories came from the Japanese (opens in new tab) and Israeli governments (opens in new tab)' own CERTs, as well as from embedded-device makers Caterpillar (opens in new tab), Rockwell Automation (opens in new tab), Green Hills (opens in new tab), B. Braun (opens in new tab) and Schneider Electric (opens in new tab).
HP (opens in new tab) issued an advisory concerning Ripple20 flaws on about 90 different HP and Samsung-branded printers, and said it had updated firmware for most. Intel (opens in new tab) issued an advisory about Ripple20 flaws in its CSME, SPS, TXE, AMT, ISM and DAL computer-management software.
Devices made by more than five dozen other vendors, including Broadcom, Cisco, Dell, GE, Honeywell, Nvidia and Philips, may also be vulnerable.
Owners of smart home devices can't do much (yet)
Looming in the background is the likelihood that this flawed TCP/IP stack, which dates back to 1997 and has since been forked into two development paths managed by different companies, is embedded deep in many devices without the knowledge of their manufacturers and users.
Most of the advice given is to device manufacturers and their industrial and enterprise clients, and basically consists of upgrading device firmware and software to include the latest version of Treck's TCP/IP stack (opens in new tab).
(Oberman told ZDNet (opens in new tab) that when his firm contacted Track about the flaws, Treck initially thought the notification was a shakedown attempt.)
Unfortunately, it's not clear what owners of smart-home devices and other consumer devices can do, except to install software and firmware updates from their devices' manufacturers if and when those updates come.
Flaws spread undetected for more than 20 years
The Ripple20 vulnerabilities are so widespread, JSOF said, because Treck's variation of the TCP/IP stack has been used by such a large number of embedded-device makers.
"A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people," the JSOF report says. "Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations."
Unfortunately, it's not that easy to identify which devices are vulnerable to the Ripple20 flaws. JSOF said it "will be providing scripts for the identification of products running Treck upon request" and provides a contact email address at email@example.com, but it's not clear who will get to see the information.
The JSOF research team will be presenting more details during the Black Hat USA (virtual) security conference (opens in new tab) this August, but you can read a technical white paper on the Ripple20 flaws (opens in new tab) now.