10-07-2020 | | By Robin Mitchell
Last week, JSOF, a small cybersecurity company based in Israel, announced their discovery of a serious set of vulnerabilities in the Trek TCP library. What are these vulnerabilities, and how does it affect the IoT field?
It is truly amazing how quickly IoT devices have become embedded into everyday life with even the most basic devices having internet capabilities. While anyone can understand and design an IoT project, no one can understand the true scale of the IoT industry or even comprehend the number of devices in operation globally. Of course, we have estimates for the total number of devices, approximately +30 billion, but what does that actually mean? How can we visualise 30 billion internet-enabled devices? If visualising this, many devices weren’t tricky enough, try to imagine 1 billion devices with potential security flaws that can be used by attackers to perform cyberattacks on a scale never seen before. This is one of the major threats that IoT poses on modern-day life, and is why ensuring strong security on such devices is essential.
One quote that puts into context the true power of IoT devices, and their ability to cause mass damage, is how Boromir described the Ring of Power in Lord of the Rings:
“It is a strange fate that we should suffer so much fear and doubt over so small a thing. Such a little thing”
IoT devices, despite their often miniature size and simplicity, carry a force of destruction never before seen in any computing field. Their ability to form connections enables them to perform DDoS attacks while attached sensory devices such as cameras and microphones turn them into spying devices. As these devices are often small, they utilise small microcontrollers or SoCs which are far too small to run reliable anti-virus, firewalls, and malware programs in parallel with their main function. For example, the ESP32, a popular IoT device, might provide the ability to use SSL, but is incredibly vulnerable to both software and hardware attacks which can allow custom code to be injected into the system. Mix in poor design practises, and the use of default passwords results in a hackers dream.
Last week, an Israeli cybersecurity company, called JSOF, have identified a set of zero-day vulnerabilities in the Trek TCP library that is estimated to affect many millions of IoT devices currently in deployment. Before we look at what the vulnerabilities are, we first need to understand how this happened in the first place.
As stated before, IoT devices generally lack processing power which means that every line of code counts. Therefore, designers will often use lightweight low-overhead libraries, and Trek provides one for TCP/IP in embedded systems. However, any library that is lightweight means that either some functions are omitted, or code is written more efficiently to reduce memory and processor usage. In some scenarios, C code could be replaced with processor-specific assembly instructions (such as bit checks which C does not support), or boundary conditions (such as buffer overflows) may not be implemented. While the exact details behind the Trek vulnerabilities have not been released, some on the vulnerabilities mention the ability to run code remotely. Such a vulnerability is often a result of poor boundary checks such as the Heartbleed bug which allowed attackers to see the contents of a servers RAM by requesting large messages while only providing a small message.
The vulnerability is called Ripple 20 for two reasons; the first is that the bug lies in the lowest level of the TCP/IP library, but this bug ripples upwards into code dependent on that library. The 20 comes from the fact that this vulnerability was announced in 2020, and will cause issues for the next few years as devices are updated. The challenge that Trek and JSOF currently face is tracking down devices that utilise the library to inform users of their risk. JSOF demonstrated the effect of Ripple20 in a video demonstration that shows them being able to turn off the power to a UPS.
So what are some of the vulnerabilities discovered in Ripple20? Scored between 1 and 10 with 10 being the worse, the first four have scores between 9.8 and 10 which indicates the seriousness of the situation:
CVE-2020-11896 - CVSSv3 score: 10 - Improper handling of length parameter inconsistency in IPv4/UDP component when handling a packet sent by an unauthorised network attacker. This vulnerability may result in remote code execution.
CVE-2020-11897 - CVSSv3 score: 10 - Improper handling of length parameter inconsistency in IPv6 component when handling a packet sent by an unauthorised network attacker. This vulnerability may result in possible out-of-bounds write.
CVE-2020-11898 - CVSSv3 score: 9.8 - Improper handling of length parameter inconsistency in IPv4/ICMPv4 component when handling a packet sent by an unauthorised network attacker. This vulnerability may result in the exposure of sensitive information.
CVE-2020-11899 - CVSSv3 score: 9.8 - Improper input validation in IPv6 component when handling a packet sent by an unauthorised network attacker. This vulnerability may allow exposure of sensitive information.
Since the Trek library has been integrated into other software platforms, many designers may not realise that their designs use the Trek TCP/IP implementation. Therefore, many devices on the market will be unknowingly vulnerable to attack, which is why users have only two real choices. The first is to perform a risk analysis of products that are known to use Trek and apply software updates as needed. The second is to implement network segmentation to try and make it difficult for an attacker to get to the vulnerable devices in the first place. Those that use IoT devices should also consider upgrading to modern IoT devices as older devices are more likely to be at risk. Besides that, not much else can be done until the BlackHat 2020 event is held as this is when the JSOF team will be demonstrating the vulnerabilities.
IoT devices, despite their insignificant size and processing capabilities, are probably the worlds biggest security threat to date. The ability to put billions of potentially insecure devices onto the market, and then integrate these devices with internet capabilities is proving to be a double-edged sword. The data gathered has allowed for the quick development of AI systems, but attackers are increasingly being given the ability to perform large scale attacks, steal personal data, and monitor individuals.