The presentation discusses the Ripple20 vulnerabilities found in the Track TCP/IP stack, which affected hundreds of millions of IoT devices across various industries due to a supply chain issue. The vulnerabilities allowed for remote code execution and other effects, and some devices may not be fixed due to the complexity of the supply chain. The presentation highlights the importance of supply chain security and the need for patching vulnerable devices.
- Ripple20 vulnerabilities affected hundreds of millions of IoT devices across various industries due to a supply chain issue
- The vulnerabilities allowed for remote code execution and other effects
- Some devices may not be fixed due to the complexity of the supply chain
- The presentation highlights the importance of supply chain security and the need for patching vulnerable devices
The vulnerabilities in the Track TCP/IP stack affected a wide range of devices, from hospital equipment to transportation systems. The supply chain issue made it difficult to fix the vulnerabilities in some devices, leaving them vulnerable to attacks. This highlights the importance of supply chain security and the need for companies to ensure that all components in their products are secure.
This is the story of how we found and exploited a series of critical vulnerabilities (later named Ripple20) affecting tens or hundreds of millions of IoT devices across all IoT sector conceivable - industrial controllers, power grids, medical, home, networking, transportation, enterprise, retail, defense, and a myriad of other types of IoT devices, manufactured and deployed by the largest American and international vendors in these fields.These vulnerabilities were found in a TCP/IP software library located at the very beginning of a complex supply chain and have lurked undetected for at least 10 years, likely much more. Over the past two decades this library has spread around the world by means of direct use as well as indirectly, through "second hand" use, rebranding, collaborations, acquisitions and repackaging, having been embedded and configurated in a range of different ways. Many of the vendors indirectly selling and using this library were not aware of their using it. Now that they know, the patch propagation dynamics are very complex and may not be possible in some cases.This library is a little known, but widely used, embedded library developed by Treck Inc.known for its high reliability, performance, and configurability. Its features make it suitable for real-time operating system usage and low-power devices.Despite being used by many large, security-aware vendors, these vulnerabilities lay dormant and undiscovered - while actors of all types could have discovered these vulnerabilities by finding one of several bugs in any of the components, exposing hundreds of others immediately. This would provide a field day of affected devices for the picking.In this presentation, we will discuss one of the vulnerabilities in technical depth, demonstrating an RCE exploit on a vulnerable device. We will explain how the vulnerabilities became so widespread, and what we still don’t know. We will speculate as to why these vulnerabilities survived for so long and show why some vendors are worse affected than others.