Security researchers have discovered serious vulnerabilities that could expose millions of Internet of Things (IoT) devices worldwide to hackers.
The list of affected vendors includes HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar and Baxter.
According to JSOF, a boutique cybersecurity organization, the vulnerabilities dubbed ‘Ripple20′ relate to the Treck TCP/IP stack, a TCP/IP protocol suite designed for embedded systems.
The vulnerability affects hundreds of millions of IoT devices that could potentially allow nefarious actors, including nation-states, to remote take-over of these devices, the organization said in a statement late Tuesday.
JSOF said it discovered the Treck vulnerability while doing a security analysis of a single device last fall and found that its TCP-IP stack contained hackable vulnerabilities.
The firm soon realised that the code wasn’t written by the device’s manufacturer, but rather came from Treck; that meant the bugs weren’t in a single device but everywhere underscoring how widely IoT flaws can propagate
The risks inherent in this situation are high.
“Data could be stolen off of a printer, an infusion pump behaviour changed or industrial control devices could be made to malfunction.
“An attacker could hide malicious code within embedded devices for years. One of the vulnerabilities could enable entry from outside into the network boundaries; and this is only a small taste of the potential risks,” the researchers explained.
JSOF said it has contacted every vendor of affected devices, and many of the companies have released software updates.
The organisation has been working with several organizations to coordinate the disclosure of the flaws.