There’s a lot to like about Internet of Things (IoT) devices, especially when it comes to how convenient they make people’s lives. The one downside is any device connected to the Internet is susceptible to being hacked—something Israeli security firm JSOF discovered could have happened to “hundreds of millions” and maybe billions of devices sold in the last two decades, Enterprise IoT Insights reports.
JSOF identified a series of 19 vulnerabilities, named Ripple20, in a software library that was integrated into IoT devices for Caterpillar, Cisco, HP, HPE, Intel, Rockwell, Schneider Electric, Digi and more. The companies’ devices are potentially vulnerable to remote hacks by cyber criminals. Ohio-based software company Treck sold the vulnerable TCP/IP software track, according to Enterprise IoT Insights.
“Many other international vendors in the medical, transportation, industrial control, enterprise, telecom, retail and commerce industries are (also) suspected of being vulnerable,” the firm said.
Lockheed Martin, BAE Systems, Broadcom, Itron, Marell and NVIDIA are among the companies under investigation. Meanwhile, devices from Amd, GE Healthcare, Laird, Philips, Texas Instruments and Zebra Technologies have been confirmed as safe.
How Ripple20 made its way into IoT devices
Memory management bugs caused most of the “zero-day” vulnerabilities in the code and go back to the 1990s, according to JSOF. The security firm said, “The number of devices that contain the vulnerable code base library is only a preliminary estimate; the number may realistically be in the billions.”
JSOF further explained Ripple20 spread throughout the world in the last 20 years. The complex supply chain provided the perfect channel and made it possible for the initial vulnerability to get inside and disguise itself almost indefinitely. The firm said all organizations have to perform a comprehensive risk assessment before deploying defensive measures. Treck, which worked with JSOF on the research, recommended users update its software stack to the latest stable version—188.8.131.52 or later.
“In all scenarios, an attacker can gain complete control of the targeted device remotely, with no user interaction required,” the company said. “The risks inherent in this situation are high. A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people.”
As an example, hackers could access data simply by stealing it from a printer, infusion pumps or industrial control devices. Attackers could hide malicious code in embedded devices for years, according to JSOF.
“One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks,” company said.
“What’s even more problematic is the fact that the affected library wasn’t only used by IoT device vendors directly, but also integrated into software suites, meaning that many companies using this software are not aware that they are using this particular piece of code,” Chief Executive of Israeli cyber-security firm Sternum Natali Tshuva said “Because of these third-party vulnerabilities, major vendors are now exposed to potential damage and financial loss.
“Ultimately, only IoT device manufacturers can solve these cybersecurity issues, as companies that deploy IoT devices are typically unable to install protection or update the security of the devices. This is why we are seeing (and will continue to see) legislation and regulations moving towards shifting liability onto the device manufacturers themselves.”
What the Ripple20 attacks mean for CRE
As more commercial real owners embrace IoT devices for their buildings, these attacks are a good reminder of how important it is to stay on top of cyber security. If hackers can infiltrate devices within major organizations, it’s safe to say they could do the same to an everyday commercial building. Think of the damage a hacker could do if they accessed any of your building’s IoT devices—door locks, security cameras, lighting, thermostats, etc.
There are also your tenants to think about. Their top priority might be strong connectivity, but they also want to know any data they transmit over the network is secure. It will be much easier at attract, and retain, tenants if you can assure them that their sensitive data, as well as their customers’, is safe.