The importance of addressing the risk posed by the Ripple20 bugs is outlined by Terry Dunlap, former NSA Offensive Cyber Operator and CSO and co-founder of ReFirm Labs. Ripple20 is the collective name given to 19 identified critical vulnerabilities in a widely used Transmission Control Protocol/Internet Protocol (TCP/IP) software library developed by an Ohio-based Treck Inc.
The vulnerabilities affect Internet of Things (IoT) devices produced by specialized boutique vendors as well as multiple Fortune 500 companies, said Israel-based security company JSOF, which discovered the security holes. Vulnerable products extend to smart-home devices, industrial control systems, medical and healthcare systems, and devices used in key parts of infrastructure, such as energy networks.
Looking at the implications of these newly identified threats, Terry Dunlap tells Digital Journal: “This means understanding what is running on the IoT device, what vulnerabilities it has, and how the manufacturer will patch the equipment.” The impact of the Ripple20 and how IoT firmware is a major unprotected attack surface that hackers use to get a foothold and move laterally into corporate or critical infrastructure network is significant, the expert adds.
In other words, Dunlap explains: “Companies need to treat IOT with the security and compliance due diligence that they would with their enterprise applications. They wouldn’t find it acceptable to have servers running Windows 2000 in production, or use Linux servers that hadn’t been patched in four years. Yet those are the types of issues we see with the firmware of IOT devices all the time.”
In addition to the latest issue, Terry Dunlap and his team of researchers from Maryland-based IoT firmware security startup ReFirm Labs were the first to point out backdoors built into the world’s second largest security camera manufacturer, Dahua. These cameras are banned by the U.S. government but remain in use. Considered the world’s leading expert on firmware vulnerabilities and nation state attacks on IoT.
