Ripple20 Vulnerability Affects 100s of Millions of IoT/IIoT and Medical Devices
If that headline doesn’t scare you, it should.
Ripple20 is a family of 19 vulnerabilities that are part of a library that is used in medical devices, home automation devices, oil & gas controls, networking devices and other industrial control devices.
The bugs are in a library that was developed in the 1990s and is integrated into all kinds of devices.
The problem is that these libraries are not something that a user – consumer or business – can do anything about. They are completely dependent on the manufacturer to fix it.
Likely many of these devices don’t even have a mechanism to update it.
To make things even more troubling, many times the buggy software was integrated into modules that then got integrated into products that then got sold to you and me. The software vendor has no idea where it got used and the integrator might not even know that the affected modules are in their product.
The product is a TCP/IP communications library – something that any device that is somehow connected to the Internet has in it.
So why were 19 vulnerabilities called Ripple20? Because, they say, of the ripple effect they will have in 2020. That is a bit of an understatement.
Some of the vulnerabilities have a risk rating of 10 out of 10 and others 9.8 out of 10.
While the software vendor has released patches for the current version of the software, what about products that were built 10 years ago for example? Those companies may not even be in business and even if they are, they likely don’t support a (pick a number) 10 year old, 15 year old or whatever age product. Assuming they know about the library.
Vendors that have released alerts include Intel, HP, Schneider Electric, Caterpillar, B.Braun, Green Hills, Rockwell Automation and Cisco.
Expect more alerts over the coming months.
The industry is still working through the impact of the Urgent/11 family of similar bugs that were released about a year ago.
The government is working on some voluntary guidance for Software Bill of Materials standards that I am watching, but that is going to take years to gain any traction.
Businesses need to keep pushing vendors and vendors need to keep pushing their vendors for a Software Bill of Materials to be a standard part of all deliverables. Software developers need to step up their game too.
Until then, we are making it very easy for the hackers. They know what the vulnerabilities are. They know at least some of the vendors that are affected and, more importantly, they know that most of these products will never be patched. Likely in a matter of days or maybe a week then entire Internet will be scanned looking for vulnerable devices. Then hackers have years to exploit it.
While a hacker turning off your smart light bulb might be annoying, changing the settings on an insulin pump – well that could have more life altering effects.
Ponder this: Software vendors have zero liability for these bugs. Congress is considering changing that (it is a recommendation of the Cyberspace Solarium Report). Until that happens, don’t expect that to change.