A dangerous new vulnerability has been discovered affecting millions of IoT devices, this time spanning across all major device types. The dangerous factor is that the issue mainly concerns older devices which are must more difficult to patch, or in some cases impossible. The problem lies within the implementation of the core networking stack, as a result the hackers can achieve deep device intrusions. The problem is tracked in two advisories such as CVE-2020-11896 and CVE-2020-11898.
Networking Stack Issue Affects Millions of IoT Devices: The Ripple20 Vulnerability Is Rated as Critical
A team of security experts has discovered a dangerous security issue which appears to affect millions of older IoT devices. The reason why this is rated as critical and should be approached with caution is that it affects mainly devices that are older and are no longer in production. This means that the device manufacturers will no longer support them and patches are not expected to be issued.
The name Ripple20 refers to a total of 19 vulnerabilities which are found within the networking stack and used in different versions. Four of the security issues are actually assigned with a critical rating and allow for remote code execution — the ability of the hackers to execute different commands on the affected devices. What is more important about the bugs is that they are zero-day vulnerabilities — they have not been known to the security community so far. The manufacturers of the devices range from large Fortune 500 corporations to small batch ordered from small companies. This includes IoT devices and embedded devices that are used in the following segments:
- Medical Institutions
- Industrial Control
- The Enterprise Sector
- Energy (Oil and Gas) Companies
- Telecom Providers
- Commerce and Retail
A proof-of-concept demonstration has been found online. The actual advisories that give information about the sets of vulnerabilities are the following:
- CVE-2019-11896 — A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app, which requires user interaction.
- CVE-2020-11898 –Treck IP stack implementations for embedded systems are affected by multiple vulnerabilities. This set of vulnerabilities was researched and reported by JSOF, who calls them Ripple20.
The vulnerabilities can be used bypass the security mechanisms and directly overtake control of the devices. The hackers that make use of the can silently intrude onto the devices without the owners noticing. As this intrusion is made using crafted packets that are sent to the device owners. They are very similar to valid packets or, in some cases, actual valid packets that are improperly processed by the networking stack.
The Ripple20 vulnerability is also dangerous to the fact that if a single IoT device is infected on a company network, especially in production facilities, the hackers can use this to spread across other available hosts. This allows for multiple malware scenarios including the following:
- Information Theft and Espionage
- IoT Botnet Recruitment
IoT device owners should attempt to contact the manufacturers of the products they have enabled in order to find out if a patch is available.