A Legion Of Bugs Puts Hundreds Of Millions Of IoT Devices At Risk

It has been reported that Israeli security firm JSOF revealed today a collection of vulnerabilities it’s calling Ripple20, a total of 19 hackable bugs it has identified in code sold by a little known Ohio-based software company called Treck, a provider of software used in internet-of-things devices.

JSOF’s researchers found that one bug-ridden part of Treck’s code, built to handle the ubiquitous TCP-IP protocol that connects devices to networks and the internet, in the devices of more than 10 different manufacturers—from HP and Intel to Rockwell Automation, Caterpillar, and Schneider Electric—and likely dozens more, JSOF believes. The result, the researchers say, is the better part of a billion hackable devices in the wild that have likely been vulnerable for years, and will need to be patched to protect them from a broad array of attacks.

Experts Comments

June 17, 2020
Jonathan Knudsen
Senior Security Strategist
Synopsys
The Ripple20 disclosures are a graphic illustration of three truths in software development. First, security must be integrated to every part of software development. From threat modeling during design to automated security testing during implementation, every phase of software development must involve security. Vulnerabilities that escape unnoticed represent serious risk. Finding and fixing more vulnerabilities during development translates directly to lower risk. Second, organisations.....Read More
The Ripple20 disclosures are a graphic illustration of three truths in software development. First, security must be integrated to every part of software development. From threat modeling during design to automated security testing during implementation, every phase of software development must involve security. Vulnerabilities that escape unnoticed represent serious risk. Finding and fixing more vulnerabilities during development translates directly to lower risk. Second, organisations that create software must manage their third-party components. The main reason for the far-reaching effects of the Ripple20 vulnerabilities is that they are vulnerabilities in a network component used by many organizations in many products. Each software development organisation must understand the third-party components they are using to minimise the risk that they represent. Finally, all software products must be able to update themselves. Using secure development practices and managing third-party components will result in fewer, less frequent updates. Nevertheless, something will always go wrong and updates will always be necessary. Systems and devices must be able to update themselves securely, and the manufacturer must make a commitment to maintaining the software for some clearly stated time period.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts