A Legion of Bugs Puts Hundreds of Millions of IoT Devices at Risk

The so-called Ripple20 vulnerabilities affect equipment found in data centers, power grids, and more.

SECURITY EXPERTS HAVE warned for years that the drive to connect every device imaginable to the internet would offer a bonanza for hackers. Now researchers have found that one chunk of software designed to enable those internet connections is itself riddled with hackable vulnerabilities. As a result, security flaws have ended up in hundreds of millions of gadgets across the globe, from medical devices to printers to power grid and railway equipment.

Israeli security firm JSOF revealed on Tuesday a collection of vulnerabilities it’s calling Ripple20, a total of 19 hackable bugs it has identified in code sold by a little known Ohio-based software company called Treck, a provider of software used in internet-of-things devices. JSOF’s researchers found one bug-ridden part of Treck’s code, built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet, in the devices of more than 10 manufacturers, from HP and Intel to Rockwell Automation, Caterpillar, and Schneider Electric. And JSOF believes it’s likely in dozens of others. The result, the researchers say, is the better part of a billion hackable devices in the wild that have likely been vulnerable for years, and will need to be patched to protect them from a broad array of attacks.

Several of those Ripple20 attacks, named for the way the bugs “rippled” out from a single company and the year 2020, would allow any hacker who can connect to a target device—over the internet or a local network—to paralyze it or force it to run any malicious code they choose. The affected devices range from power supply systems in data centers to the programmable logic controllers used in power grids and manufacturing to medical infusion pumps.

Continua a leggere su: Wired