One of the great things about working in cyber security and specifically CND is that we are constantly required (and encouraged) to keep our knowledge and skillset relevant to combat emerging threats and trends in order to best serve our clients.
We all have our favourite news feeds or podcasts, on Wednesday 17th June our Radar Page reported on a vulnerability in Treck https://www.cndltd.com/cnd-news/radar-updates-friday-12-june-1 which was quickly followed by a report on one my preferred sources ( Risky.biz ) the presenters narrated on the newly discovered Ripple 20 IoT vulnerabilities. For readers not yet familiar with this vulnerability it contains four distinct items each with a CVSSv3 score of >=9.8. The exploitable threat surfaces include UDP, IPv6, ICMP which should be especially concerning. The research is apparently still ongoing and further exploits are likely.
Why should this be of interest or concern? The IP stack library from Treck Inc. has been integrated since the late 90's into apparently 'Hundreds of millions' of IoT nodes from consumer electronics (think printers and smart home devices) to ICS, power grid hardware, healthcare, transportation (think about train station live departure boards etc.) and advertising and marketing with the rise of digital displays even common at city centre bus stops. Whilst apparently a patch has already been released the likelihood of that patch reaching a critical mass of the exposed deployed IoT devices is questionable. It certainly made us all think how we might be exposed at home but more importantly how are services we rely on exposed? Increasingly our clients are employing smart devices to automate and gain efficiencies or simply using them to record valuable metadata about their operations which can be harvested for machine data analysis relevant to their business requirements.
If you have a deployment base of IoT nodes in any guise, this news should be something that triggers a Vulnerability Analysis (VA) which will help provide a view on your organisations exposure. Since the Mirai botnet exposure of 2016 which saw IP CCTV cameras along other devices turned into botnet minions, this has been an under-addressed security flaw. Often the exploitability is not helped by basics such as proper password management and password complexity / entropy to secure nodes; however also more nuanced configurations such as disabling IPv6 if not in use, SNMP service configurations are also something to address.
Securing peripheral devices such as printers, cameras, digital signage is not often an organisational priority and you may think that even if those were compromised so what? Of course there is the opportunity for a sophisticated threat actor to pivot from a compromised system towards something you may care about, and upon which your business relies. Below is some helpful further reading from a variety of sources about best practices and an engaging infographic.
If you are concerned about these issues or are unclear as to your exposure get in touch, we can help you.
Further reading:
- https://www.us-cert.gov/ics/advisories/icsa-20-168-01
- https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
- https://www.ncsc.gov.uk/blog-post/fixing-all-things
- https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/