19 Zero-Day Vulnerabilities Affect Millions of IoT Devices Worldwide

The research lab of Israeli cybersecurity company JSOF has discovered a series of 19 zero-day vulnerabilities that affect millions of IoT devices worldwide.

According to researchers, the bulk of security flaws, dubbed Ripple20, reside in the low-level TCP/IP software library developed by Treck Inc. It is used and deployed by companies in a wide variety of industries, including healthcare, energy, telecom and retail.

“Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors,” the JSOF said.

Four of the 19 vulnerabilities were flagged as critical, with CVSS scores over 9. If exploited, these critical flaws could allow malicious actors to execute remote arbitrary code, with potentially devastating effects.

The researchers described some of the most plausible scenarios, including gaining control of the targeted device remotely. Sophisticated attackers could take over all impacted devices in the network simultaneously, remaining hidden and undetected in the network for years.

“The risks inherent in this situation are high”, researchers warned. “Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction”.

The cyber security experts also reported their findings to Treck, which issued an official statement on their website:

“Our latest version of Treck’s TCP/IPv4/v6 and associated protocols has been updated to include fixes for a group of vulnerabilities (VU#257161 and ICS-VU-035787) that were reported by Moshe Kol and Shlomi Oberman of the independent security research group, JSOF,” the company said. “Treck is also providing patches for each issue that was reported.  Some of the issues are of high severity.  The exposure to these high severity issues greatly depends on the Treck products being used.”

Additionally, JSOF contacted over 500 device manufacturers and organizations currently assessing their products.

“The disclosure was postponed twice after requests for more time came from some of the participating vendors, with some of the vendors voicing COVID-19-related delays,” the researchers said. “Out of consideration for these companies, the time period was extended from 90 to over 120 days. Even so, some of the participating companies became difficult to deal with, as they made extra demands, and some, from our perspective, seemed much more concerned with their brand’s image than with patching on the vulnerabilities.”

Mitigation steps vary from device vendors to consumers. If a patch is available, the first step is to update to the latest version for all devices. Organizations using a vulnerable Treck stack should perform a risk assessment and, in lieu of a vulnerability fix, “minimize network exposure for embedded and critical devices, ensuring that devices are not accessible from the Internet unless absolutely essential.”

Isolating system networks and devices behind firewalls, disengaging them from the business network, and using a virtual private network for connecting devices to cloud-based services is also recommended.