The IoT Supply Chain Risk: Why Everyone Should Pay Attention to Ripple20 Vulnerabilities

Michael DeCesare | June 16, 2020

We see IoT and connected devices all around us – there are billions of them, and they’re hard to miss. I speak all the time about the cybersecurity challenges these devices pose, and advocate for organizations to protect themselves. 

But sometimes the threat lies under the surface. The reality is that when you buy an IoT device, you’re buying a lot of embedded components and you don’t really know where those components come from. For a variety of reasons, most IoT devices do not run standard Windows operating systems. Instead, they use organically developed and various third-party sourced code libraries for essential functions such as network communication. These code libraries pose just as much of a risk as the devices themselves, if not more so because a user or company likely has no idea what lies under the hood.

Forescout Research Labs has been working closely on the disclosure of vulnerabilities of this type that could potentially impact tens of millions of IoT and OT devices. Working closely in partnership with JSOF, who first discovered the Ripple20 vulnerabilities, our researchers have leveraged the 12 million devices in our Device Cloud data lake to together identify nearly 100 vendors that are potentially affected.

The Ripple20 vulnerabilities are in a software library and TCP/IP networking stack made by Treck. You probably haven’t heard of Treck, but the company has been around for 20+ years and its TCP/IP stack is used in many common devices, including industrial control systems, medical devices, VoIP phones, printers, etc. In total, JSOF estimates these vulnerabilities could affect tens of millions of IoT and OT devices.

Given the widespread nature of the findings, JSOF has been working closely with the Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), national CERTS (Computer Emergency Response Teams), as well as Treck to ensure a proper disclosure and fix.

It’s not super common for researchers who found a vulnerability to partner in this way with other security vendors during discovery and disclosure. This innovative approach was necessary because of the nature of the supply chain. There’s no public bill of materials for IoT and OT devices, meaning vendors don’t have to disclose what parts make up their devices. In many cases the code library has spread through the supply chain in embedded, rebranded and repackaged components. Sometimes the vendors themselves don’t even know what’s running inside the devices. All these factors can make identifying devices that could be compromised very difficult for any one company or even government organizations. 

To identify potentially vulnerable devices and manufacturers, Forescout researchers used network traffic signatures and TCP/IP fingerprints provided by JSOF to analyze the 12 million devices in our large data lake – the Forescout Device Cloud.

Some of the more prevalent devices Forescout identified that are vulnerable to Ripple20 include medical infusion pumps, a UPS frequently used in data centers, and printers (which can be found in nearly every enterprise). Nearly a dozen vendors in total have already been confirmed, including HP and Intel, though together with JSOF we’ve identified nearly 100 more that could also potentially be affected.

The bigger picture here is that these are just some of the risks living under the surface of the billions of IoT and OT devices permeating our enterprise networks today, risks we are finding out more and more about through disclosures like this one. While there’s been a growing amount of focus on securing IoT devices overall, we also need to ensure we are securing every piece of the device’s supply chain.

Fixing these vulnerabilities presents its own set of challenges, even once they’ve been identified on the network. Some already have patches available. But there are also complicating factors. With these types of supply chain vulnerabilities and embedded components, the vendor that is creating the patch isn’t necessarily the one that will release it. That can delay the issuance of a patch. There are also no guarantees that the device vendor is still in business, or that they still support the device. The complex nature of the supply chain may also mean the device is not patchable at all, even if it needs to remain on the network. In such cases, mitigating controls such as segmentation will be needed to limit its risk.

This is a real challenge. To help, we are releasing detection and mitigation templates for our products to specifically identify and protect devices using Treck. That way security teams can find and inventory devices that could be impacted and take appropriate mitigation actions, such as segmentation and containment, to limit their risk. These protection templates are available today to all Forescout customers.

We’re seeing more and more of these types of supply chain vulnerabilities discovered as IoT and OT devices become more widespread. While the embedded systems that underlie them aren’t new, we are just beginning to open our eyes as a security industry to the risk they pose. Let’s all make sure we’re paying attention.