Healthcare is the sector most impacted by a group of 19 critical vulnerabilities known as Ripple20, found in the TCP/IP communication stack of hundreds of millions of IoT and connected devices. The impact of which is currently unknown, given the flaws are found in embedded software and web components.
First reported by security researchers JSOF in mid-June, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency followed the report with an alert that detailed potential exploits hackers could take to gain control of an affected device.
According to reports, the vulnerabilities exist in the widely used, low-level TCP/IP software library developed by Treck, which includes multiple remote code execution possibilities. Ohio-based developer Treck provides low-level network protocols for embedded devices.
Most of the flaws are caused by bugs in its memory management, as well as “historically related KASAGO TCP/IP middleware from Zuken Elmic (formerly Elmic Systems).” The highest risk vulnerabilities could allow an attacker to steal data, impact the function of connected devices, or prompt a device malfunction, among a host of other malicious activities.
To SecureLink CISO Tony Howlett, the flaw bears hallmark to another massive vulnerability known as Spectre: an embedded software flaw affecting modern microprocessors used in desktop computers, cloud computers, and laptops. A successful exploit, allows an attacker to force a device to reveal its data.
“Ripple20 is like the Spectre of IoT devices,” Howlett said. “This certainly won’t be the last major disclosed vulnerability, as vulnerabilities keep getting more complicated. But this is the biggest so far.”
What’s worse, according to Howlett, is that the most at-risk devices are found in the healthcare sector – especially its infusion pumps. Given the scope of the vulnerabilities, there will likely be multiple patches, making it a major project unto itself.
Further, each operating system and model has a process unique to the device, “and with firmware, it’s scary if you break it.” The patching challenges found in healthcare have been well-documented, with many providers not fully understanding how to effectively and efficiently tackle the process in a timely fashion.
Previously, security researchers have shared key ways healthcare providers can begin tackling their massive endpoint problem and other medical device security concerns, including key data inventory elements, security tools, and insights into some of the biggest medical device security myths.
Indeed, the full impact of Ripple20 is still unclear, and many IT administrators and security leaders may not even know they have a device operating with the impacted Treck component.
In fact, Forescout research shows the vulnerabilities impact tens of millions of devices across 50 different vendors, “exposing a very complex supply chain for IoT devices.” And researchers concluded healthcare is indeed the number one impacted sector with 52,935 devices matching Treck signatures.
“An IP stack is a basic connectivity software component used in every connected device,” researchers wrote. “Essentially, in the IoT world, there is no public bill of materials that allow users and organizations to know what components are part of the devices they use.”
“Meanwhile, these components can cause significant cybersecurity risks,” they added.
To Howlett, the biggest concern is the remote access threat. While infusion pumps may not typically be exposed to the internet, an attacker could gain access through publicly visible devices, operating systems, servers, and industrial system controls.
As a result, an attacker could easily leverage a search engine like Shodan.io to easily find exposed connected and IoT devices.
Alternatively, by leveraging virtual private networks (VPNs) commonly used by vendors, a hacker could easily gain a foothold onto the network to scan the enterprise and find devices vulnerable to Ripple20, such as medical devices and infusion pumps that may, at first glance, appear protected from outside hacking.
It’s also likely that plenty of these vulnerable devices are currently exposed. Howlett also explained that many organizations may think they’re protected, but any exposed endpoints or access points could further fuel this threat.
“If some terrible person wanted to cause havoc, it would be devastating,” Howlett said.
The lack of visibility into the flaw and complexity of patching these vulnerabilities are also further compounding the issue.
Healthcare will face some of the most complex challenges, especially around IoT, which typically exceed the number of workstations and servers on the enterprise network. He stressed that administrators may need to rely on vendors to find out just what devices are impacted by the flaw.
Others will continue to struggle with understanding the best way to patch.
“Trying to wrangle those devices is already a big job,” Howlett said. “People are going to have to get more serious about this. It’s already reached paradox levels as it’s everywhere. If someone gets a foothold onto their network, they can launch other attacks and infect other devices.”
“Start thinking about IoT as something that needs all of the protection, as many of these IoT devices can’t load endpoint protection outside of what the manufacturer has already installed,” he continued.
To tackle these challenges, Howlett made several key recommendations. All global entities must perform a cursory assessment, particularly with scanning software, to determine what enterprise devices connected to the network are impacted by the Treck flaws.
As noted, patch management for Ripple20 flaws will also be a daunting task given the scope, which means enterprises will need to segment impacted devices from the network and leverage firewalls, in the meantime. Howlett explained the goal should be to have any devices that touches people, especially medical devices, segmented away from the main network and fully protected.
“It’s a public health issue,” Howlett said. “Hopefully this is a wakeup call before a major disaster, giving us more visibility and getting more people protected… Treat this like the Spectre of IoT healthcare.”