back to article Tens of millions of Internet-of-Things, network-connected gizmos at risk of remote hijacking? Computer, engage shocked mode

A bunch of flaws in a commonly used TCP/IP software stack have put potentially tens of millions of Internet-of-Things devices, healthcare equipment, industrial control systems, and other network-connected gear at risk of remote attack, it is claimed. The vulnerabilities are dubbed Ripple20 – because hey, what's a bug reveal …

  1. BebopWeBop Silver badge
    Facepalm

    Set phasers to 'colour me surprised' and phasers to 'deny it all' as we approach the scrapheap planet 'Junk'.

    1. Christopher Reeve's Horse

      But it likely won't get junked until the primary purpose fails, because how would 'your average user' know anything about the security holes? Even if their security had been compromised, they still wouldn't be aware how.

      1. HildyJ Silver badge
        Facepalm

        Tat for Tit (sup)

        That most IoT tat has security issues of varying degrees is not surprising .

        Keep in mind that vendors have almost zero interest in fixing old tat and, even if they wanted to, even in their new gizmos, they often can't push updates, especially firmware, and most gizmos don't allow even a knowledgeable user to pull updates.

        Intelligent gizmos (e.g. temperature control on my fridge) make sense; IoT gizmos (e.g. a shopping list app on my fridge) rarely do.

  2. Anonymous Coward
    Anonymous Coward

    Just another reason

    for me NOT to spend my [insert funding method here] money on this IoT tat.

    Why should my lightbulb need get permission from some server out there on the internet to allow me to control it?

    Oh wait... planned obsolescence. Just turn off the server and all that kit/tat you spent your hard earned on is now junk and destined as the Americans say, for Landfill (but preferably your local recycling centre provided you can book a time slot to go that is... that is the new normal in Hampshire)

    Turn off the server and sit back and wait for the proles to buy more of your Internet Connected TAT. Then in 18 months (or less), rinse and repeat.

    1. simonlb Silver badge

      Re: Just another reason

      Wait, you have to book a time to go to the tip in Hampshire? And I thought that going to the doctor was a faff. Unless the Hampshire tip is a tourist attraction...

      1. Anonymous Coward
        Anonymous Coward

        Re: 'tip' time

        Yep. The numpties in charge at Hampshire County Council have decided in their infinite (/s) wisdom that you now have to book a time slot to drop off your recycling/waste. One trip per household per week. Thankfully, they have postponed the introduction of their ANPR system.

        IMHO, they really don't want to take your recycling and would prefer you to fly tip it. /sarcastic

        They say that it is to reduce the queues at the recycling centres. If there are queues then why not increase the opening hours? They are still not back to their normal ones and with only 3 vehicles allowed at a time (at my local tip) then Doh! It does not take a blind man on a dark night to realise that you are going to have problems. Numpties the lot of them.

        1. John Brown (no body) Silver badge

          Re: 'tip' time

          Our local one is fully open as normal in terms of days and hours, but have limited the numbers of cars on site at one time and there's some arrangement where odd or even numbered car number plates are allowed each day. I've not had a need to go so didn't read the notice fully.

          1. Anonymous Coward
            Anonymous Coward

            Re: 'tip' time

            Not everyone has a car. On one occasion I was refused entry to our local council recycling centre because I was on foot. They didn't even ask me to prove I was a local resident - rather than someone who had hidden their vehicle round the corner. An official complaint elicited a reply that the centre had consequently been "given reminder" that pedestrians were allowed.

        2. hoola Bronze badge

          Re: 'tip' time

          The same for Leicestershire and by all accounts there are still people queuing for hours even though they don't have an appointment getting pissed off when they are refused entry. Maybe these are the same people that queued for hours just to get a Big Mac.

          You really cannot help some members of society.

    2. Anonymous Coward
      Anonymous Coward

      Re: Just another reason

      Puerile joke warning:

      [insert funding method here], just like your mum used to say...

  3. Teiwaz Silver badge

    Computer, engage shocked mode

    ....Well, not that shocked.

    IOT are like ants at a picnic

  4. Mike 137 Silver badge

    "Some of the programming blunders..."

    Thank you Shaun - thank you a thousand times! It's about time we all faced up to the fact that that's just what "exploitable bugs" are - no more no less.

    Until software development becomes a genuine engineering discipline with formally ratified standards and an expectation of their universal application by qualified practitioners, we'll never have safe, or even adequate IT systems. Every other branch of engineering demands this - even plumbing.

    1. P. Lee Silver badge

      Re: "Some of the programming blunders..."

      >Every other branch of engineering demands this - even plumbing.

      I suspect plumbers make more money than programmers.

      The attack surface is always going to be a problem. It is why you want a tunnel vpn rather than expose every service. A vpn stack has one function which all users have an interest in, not just IoT makers. Hence, it is likely to be better quality and have fewer bugs.

      We also need better firewall mechanisms. Something like a JSON description of requirements a phone can take a picture of and use to program even rubbish little home routers.

  5. batfink Silver badge

    How many of these things actually have a mechanism for firmware updates?

    Ok, so your Samsung TV probably has a facility for firmware updates, and Samsung probably have servers to do the pushing. But what about the other tat? Baby monitors? Lightbulbs? "Security" cameras? Doorbells?

    Not to mention access - baked-in admin passwords? Or if not, do they rely on the user not having changed the admin password? Either way, you're in trouble.

    1. ThatOne Silver badge
      Devil

      Re: How many of these things actually have a mechanism for firmware updates?

      > your Samsung TV probably has a facility for firmware updates, and Samsung probably have servers to do the pushing

      But do they have the intention to update anything but their latest kit?...

      1. BenDwire Bronze badge
        Boffin

        Re: How many of these things actually have a mechanism for firmware updates?

        My Samsung TV still can't use iPlayer, despite it being supported. Even the support department have run out of ideas.

        On the plus side all my smart lightbubs have nice fresh firmware - I replaced it with Tasmota that allows cloud-free operation behind a nice secure firewall. I'm guessing that's not what the IoT vendors were hoping for ...

      2. doublelayer Silver badge

        Re: How many of these things actually have a mechanism for firmware updates?

        >> your Samsung TV probably has a facility for firmware updates, and Samsung probably have servers to do the pushing

        > But do they have the intention to update anything but their latest kit?...

        I can say from experience that they do update older devices. Just a couple weeks ago, a family member asked for my help to update the firmware on a six year old TV from Samsung, and I found firmware for it that is only two weeks old. Of course, this firmware has exactly the same problem that caused them to want to update it, and appears functionally the same in every respect including most of the version number. There is no change log or anything, so it's possible that the server just picks a random date and slaps it on. This seems to be a frequent model for making and releasing firmware updates. Nobody seems to know what it does differently from the last version, but the number's higher so it must do something.

    2. doublelayer Silver badge

      Re: How many of these things actually have a mechanism for firmware updates?

      Usually, they go with one of the following models:

      1. There is a firmware update mechanism that operates online, either directly if the device has network connectivity or through a phone app if not. You never get told what update you're installing, what it does, what it fixes, or even when such an update is occurring. Either the code just changes randomly, or you get an update button with no additional context.

      2. Any firmware updates are published on the manufacturer's website. Sometimes, your product is a rebadged thing, so you have to look for a model number that's not your model number. If you finally navigate that maze, there's a 90% chance that the last firmware file is one you already have. If it's not, you can download a blob which can be uploaded to your device in some way that is not clearly explained. This will have a higher version number or sometimes a completely mutilated one, but no information on what it does. Check whether your device has a card slot, USB port, or a firmware update page on the internal HTTP server. When you provide this blob to your device, it will go unresponsive for thirty seconds while it looks at it. If it doesn't like it, it will brick itself. Then the file will be verified several times to make it hard to put your own firmware in. Then the device will restart. Then the device will see a firmware update file on your USB disk and start the update procedure again...

  6. TeeCee Gold badge
    Alert

    There I was thinking that the real risk was my IoT fridge becoming prematurely obsolete[1]. Turns out that some miscreant resetting the freezer temperature to something likely to promote bacterial growth is the real danger.

    Turns out we need a "Montezuma's Revenge" icon. Who knew?

    [1] aka Last week's scare story to sell Which? subscriptions.

  7. Cynic_999 Silver badge

    Details needed

    Pity there are no details of the bugs in question. I'd like to know whether or not such bugs would be exploitable over a NAT router, which is how most IoT devices would connect to the Internet. (NAT routers have to modify the IP and TCP or UDP headers of all packets, and so may well not pass whatever malformation is required to exploit the bug).

    1. It's just me
      Unhappy

      Re: Details needed

      On the JSOF site they have a video of them exploiting the flaw against a HP printer, a UPS, a smart light, a Digi board and a medical pump. According to the messages displayed during the exploit the devices were behind a NAT and the exploit was delivered in DNS replies from a malicious DNS server. Other methods mentioned in their "Risk Evaluation and Mitigations" include fragmented packets, broadcast & multicast traffic and ICMP.

  8. gerdesj Silver badge
    Childcatcher

    lol

    VLAN and a properly configured firewall.

    I have several VLANs at home. There's THINGS (802.1Q tag: 15) for the usual IoT stuff and there's SEWER (Tag: 16) for stuff that scares me even more. SERVERS, LAN, MANAGEMENT, PHONES and a few others are obvious, along with DMZ, DMZ2 and more. There's also a ROFLCOPTER VLAN (tag: 22). That's for the wife and her laptop. Her laptop sports Arch Linux and has done for about eight years now.

    Anyone who wants to improve their sysadmin fu should try to please their SO first (lol, fnar). If you want to play with IoT and Home Automation etc then get it approved by the Boss. Think you can do Internets? Ask the Boss. Want to mess around with web proxies and MitM? Get the Boss to test the end experience.

    1. hoola Bronze badge

      Re: lol

      That is all well and good however 99.9% of the people with an Internet connection are simply:

      Without the technical knowledge to create a vLAN.

      Have hardware that cannot be configure in such a way.

      Are not bothered.

  9. Anonymous Coward
    Anonymous Coward

    MIB for devices

    There is mandatory requirement for cars to have insurance. If an accident happens with an uninsured vehicle, an industry fund MIB picks up the tab.

    Perhaps there should be a mandatory insurance scheme for vendors of electronic equipment to pay into. It could operate similarly to the Green Dot scheme for recycling where a portion of revenue goes to the fund ?

    For devices registered as above a threshold of importance/criticality, should the manufacturer be unable to remedy in a sufficiently prompt manner, the fund should be available to pay for the costs of updating said devices - also companies that have gone bust, or closed etc.

    Allow fund to recoup costs from vendors etc

  10. EnviableOne Silver badge

    Ubiquity is an issue

    the devices that Treck's stack is in is a vast list that has some things that can't be updated quickly and have possibly scary consequences

    one of the confirmed vulnerable devices is a medical Infusion pump they take 10 years to approve updates...

  11. RLWatkins

    Quick solution:

    Stop connecting all your damn' "Things" to the Internet.

    Have yourself a network-of-things instead, monitor it with your own computer, and if you need to ask your computer what or how they're doing, then do that using secure communications via the Internet.

    Try to remember that the people who decided we should call networks-of-things "The Internet of Things" are all data-collection companies who'd *love* for you to connect all your things to the Internet so they can snoop on them.

    Don't let them get away with it. Hell is already full....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020