Ripple20 Isn’t An Anomaly – IoT Security Is A Mess (Still) #NCSAM

Shiny-object fixation is in the tech industry’s DNA — rooted equally in sincere idealism, and reactive impulsivity. For innovators, there’s always something greater, faster, and better on the horizon. On the one hand, this forward-looking mindset is productive, inspiring us toward perpetual progress. On the other hand, it can prove detrimental, as those in the tech industry have a habit of prematurely moving to the “next big thing” before mastering the “current problem.”

The Internet of Things (IoT) is a perfect (or terrible, depending on how you look at it) embodiment of this bad habit. It was coined in 1999, but the first connected devices emerged even earlier in the 1980s. By the late 2000s, major companies like IBM, Cisco, and McKinsey started making significant IoT investments. In 2011, Gartner added IoT to its hype-cycle for emerging technologies, ushering in a wave of IoT startups rushing to capitalize on a hot market, akin to what’s occurring in the AI space today.

The moral of this history lesson is that IoT has been around for decades. Yet, IoT security continues to be...a mess. A mess that’s actively worsening, in fact, because we haven’t taken the time to get it right. A new SonicWall report found a 50% increase in IoT malware attacks in the first half of 2020 alone. Meanwhile, the Irdeto Global Connected Industries Cybersecurity Survey revealed that cyberattacks targeted at IoT devices could cost the U.S. economy $8.8 billion per year.

Part of the problem is that most enterprises lack visibility into all the IoT devices running on their network, making securing them nearly impossible. Another factor is that many IoT device makers eager to cash in and get to market, did not — and still do not — build with security in mind.

The issue extends even deeper. The software and hardware components that make up these devices can also have vulnerabilities.

Supply chain issues make a bad situation worse

This is the case with Ripple20, a series of 19 vulnerabilities first revealed by JSOF in mid-June, affecting devices that contain the Treck networking stack. The Treck software has been used in the manufacturing of embedded devices for more than twenty years. Due to its ubiquity, hundreds of millions of devices in the industrial controls, networking, transportation, retail, oil and gas, medical, and other fields are now known to be vulnerable to exploits.

As the JSOF team attempted to track down the vendors affected earlier this summer, it became clear that the complexity of the software supply chains in question made it exceedingly difficult to know exactly which devices were exposed.

Now that the information has been released, proof-of-concept exploits will emerge and companies will likely start to see accelerated exploitation of these vulnerabilities. While patches have been issued by Treck for all 19 vulnerabilities, patching may prove difficult or impossible due to the age, nature, and widespread use of the impacted devices. As a result, the impact of these vulnerabilities will linger for a long time to come.

We can bolster IoT security — but it’s a shared responsibility

Ripple20 isn’t the only IoT security fiasco, it’s just the latest. As we’re barreling toward edge computing, drones, and robotics, we need to pause and get connected device security under control now. Solving a problem so pervasive will require the entire tech industry to rethink IoT and recognize the collective effort to secure it. The following steps need to be taken:

  • Build devices with security in mind: Device and component manufacturers need to build devices with security in mind and abide by enforced security guidelines. There are well-understood best practices for secure development; most involve a minimal threat surface area to reduce the amount of software that must be patched.
  • Be prepared to patch: Vendors must be able to develop and deploy a patch for as long as customers have the devices deployed and actively used. This can be for years.
  • Disclose, disclose, disclose: Vulnerabilities, whether discovered from vendors, researchers, or users, must be responsibly disclosed as soon as they’re found. Vendors need time to develop the patch and customers need time to deploy any patches.
  • Prioritize inventory and control: Enterprises need to have an up-to-date inventory of all their devices. You can’t know to patch if you don’t know what you have. From there, hygiene and compliance must be a top priority. If there’s a known vulnerability, organizations must patch immediately. If a patch is unavailable for the affected device, organizations should consider removing devices from service entirely and replace them with secured devices.
  • Have a detection and response plan: Even if all the other steps are taken, some attackers will be able to find their way in, so enterprises must have a response plan to stop attacks and mitigate damage in real time. Network detection and response vendors should provide custom detectors to monitor and discover critical vulnerabilities so that organizations can quickly respond.

IoT represents incredible possibility for the enterprise — but it represents incredible risk as well. With effort across the industry, we can (finally) get IoT security under control.

What’s Hot on Infosecurity Magazine?