Sternum blocks exploitation of critical Ripple20 vulnerabilities
Multilayered cyber security company providing real time embedded protection and visibility for IoT devices, Sternum has successfully blocked the exploitation of multiple critical Ripple20 vulnerabilities. Embedding Sternum’s Embedded Integrity Verification (EIV) into firmware containing the vulnerable TCP/IP stack led to EIV automatically blocking the exploit attempts of the vulnerabilities and reported the attempts in real time.
Sternum’s announcement follows JSOF’s recent discovery of the Ripple20 zero-day vulnerabilities used in an embedded low level TCP/IP library developed by software company Treck. The vulnerabilities affect hundreds of millions of critical IoT devices across numerous sectors, including healthcare, energy, smart homes, and more.
Sternum’s research team reconfirmed JSOF’s findings and successfully exploited some of the critical vulnerabilities on a device. Then, the team installed EIV onto the same device and executed the previous attack. With Sternum’s EIV already embedded, the attempted exploitation was prevented, and the team was alerted in real time of the attempt. The EIV alert included information leading to the exact vulnerable code, enabling the team to quickly patch the vulnerabilities as well as investigate the characteristics of the attempted attack.
Attack success - On the left side, we see the run time information of the Digi Connect Me 9210 board. Here we see that an attack was performed against the device and the 'Malicious code is now running! Crashing the device' string was printed as a result. On the right side, we see the hacker executing the attack script that damaged the device.
“The power of on-device cyber security solutions focused on the exploitation of vulnerabilities will enable sustainable protection amidst the IoT revolution,” said Natali Tshuva, CEO and Co-founder of Sternum.
“Devices will always contain vulnerabilities and trying to patch them all is a losing game. It is essential that IoT device manufacturers embrace solutions that protect devices from exploitation. Vulnerabilities like Ripple20 will continue to be discovered; this is why we are calling for a paradigm shift in IoT cyber security, which requires the adoption of innovative, on-device security solutions that protect IoT devices in real time.”
We have a physical visual showing a LED that is supposed to be flashing, but is now constantly on (after the attack succeeded).
The blocked Ripple20 critical vulnerabilities have a Common Vulnerabilities and Exposures (CVE) score higher than 8, with 10 being the most severe. If exploited properly, these vulnerabilities allow for remote code execution by hackers, enabling them to take complete control of affected IoT devices. Risks of successful exploitation include hackers taking control of remote infusion pumps, stealing sensitive Protected Health Information (PHI) from patients, altering the behaviour of industrial control devices, penetrating other sensitive IoT devices in the same network, and more.
Numerous companies and their IoT devices have been confirmed as vulnerable in light of the Ripple20 discovery. These vendors were vulnerable because they used Treck’s TCP/IP library as a third-party component. Organisations at risk include a Fortune 500 healthcare company whose affected infusion pump could lead to larger attacks on the hospital network; a multinational technology conglomerate whose affected routers and switches could lead to Denial-of-Service (DOS) attacks on networks; a major computer provider in which attacks on its infected printer product line could lead to further attacks on connected enterprises; and an international electric company in which attacks on its affected products might lead to damage on industrial equipment.
Here we see a snapshot of the attack investigation in Sternum ADS’ cloud platform. The information that is shown here points to the vulnerable part of the code that was used to perform the attack and provides more technical information that will help remediate the vulnerability.
Sternum’s EIV is proactive, integrity-based attack prevention embedded automatically into an IoT device’s firmware, including closed-source code, commercial operating systems, and third-party libraries.The solution prevents exploitations of potential IoT device vulnerabilities in real time, preventing all known, unknown, and advanced attacks the moment they strike and before any lasting damage is done to a device or its connected network. EIV can be deployed in any IoT device, including distributed and unmanaged IoT devices that are low on resources.
Sternum works with numerous clients across multiple industries, including medical, Industry 4.0, smart energy, smart cities and more. Sternum has partnered with Telit and Sternum’s solutions will be built into Telit’s xE910 module family to give Telit’s customers in-depth visibility and security for their entire device fleet.