Broad supply chain security ripples from the Ripple20 IoT “mega vulnerability”

June 29, 2020//Tony Howlett

Last Updated: November 24, 2020

The recent announcement of the Ripple20 “mega-vulnerability” in Internet of Things (IoT) devices that use the Treck, Inc. IP stack highlights the increasing exposure and danger that organizations of all sizes and types have in the growing IoT world. With 19 separate vulnerabilities, 4 of which are rated 9.0 or higher on the CVSS 10 point scale, there is hardly an industry or major tech manufacturer not affected. And while the list currently sits at over 20,000 device types affected, it is sure to grow as more manufacturers learn that this obscure but key component is used in their products.  Many key infrastructure devices are affected, including UPS power backups, point of sale (POS) devices, Industrial Control Systems (ICS) on manufacturing lines, and perhaps most ominously, many IP connected medical devices including infusion pumps. 

Given the size and scope of this massive vulnerability release, it’s best that all security and system administrators to do a review of the affected devices to see if they are possibly vulnerable. Here are some considerations when assessing the risk to your network and systems from Ripple20.

Check for supply chain issues

If you are a physical hardware manufacturer of any kind (not just computer gear, excavation equipment company Caterpillar is one of the affected firms), you need to take this more seriously.  There is a list of known affected manufacturers in the announcement, but this is by no means a final or exhaustive list. You will want to do a component level review of all providers of network code and software to see if Treck, Inc. is among them. If it is, deeper analysis will be needed to see if you use one of the affected libraries. If so, you’ve got a long road ahead of you, building patches into your product and getting them out to customers. I definitely don’t envy companies in this position!

Check for deployed affected devices

Even if you don’t make hardware, you aren’t out of the woods by a long shot. It’s possible you use devices made by the affected manufacturers somewhere on your network. The list includes IP cameras, printers, copiers, switches, and other common network gear. Review the list of affected manufacturers and models and see if you use any of the listed devices. This will probably require another review in a few months, as the full scope of affected hardware becomes more complete.

Even if you don’t think you have affected IoT devices, you might have exposure. Most IT administrators don’t have a high confidence level that they have inventoried all IoT devices on their networks. You might have to complete an IoT inventory before you can accurately do a Ripple20 risk assessment and remediation. To keep it manageable, you can limit the scope by focusing on internet-facing, public devices unless you have a very large internal attack surface.

Consider work from home (WFH) deployments

While your corporate-owned infrastructure might not have any Ripple20 issues, employees may have IoT devices on their home networks with them. It might be hard to assess this risk, especially across large WFH populations, but it is something to consider as WFH becomes more the norm in corporate computing. Having company managed endpoints can help allay these concerns somewhat as well as using strong remote access controls such as multi-factor authentication (MFA).

Use scanning tools, if available

Hopefully, major scanning vendors will include this in their signatures soon as that is going to be the only way to truly track down these issues completely and efficiently. Check with your vulnerability scanning vendor for updates (Qualys and Tenable have already issued signatures). Eventually, Treck or another entity will make a general use, free scanning tool as has been done for other large scale impact vulnerabilities. 

What if patching is difficult or impossible?

Given that these are IoT devices without straightforward interfaces, even if you know you have such devices, some of these may be difficult or impossible to patch. This isn’t as simple as just pushing updates, like with Windows. Patching hundreds of IoT devices across a multiple location enterprise is a multi-month, if not longer, project. And some devices, like embedded systems within manufacturing lines, may not be able to be easily shut down for updates. You should add other controls such as network segmentation, firewall rules, ACLs in your routers, and other protections to prevent these devices from being exploited or from phoning home if they are.

In time, the full scope of this giant batch of vulnerabilities will become clear and vendors will hopefully step up to make discovery and patching easier. If there is one silver lining in this dire situation, it will be that perhaps more light and attention gets shined on IoT security and third-party risk management (TPRM). And manufacturers will more carefully monitor their downstream supply chain for these types of mundane components that can bring a very no-mundane risk with them. 

To learn more about how to fully protect your organization with third-party risk management in mind, download our eBook “Securing Your Supply Chain from Cyberattacks” to learn more about the current threat landscape and why third-party access control is crucial in preventing attacks. 

close close