Skip to main content

Major security vulnerability could leave critical infrastructure defenseless

 

Update:

Recommended Videos

As of July 9, an Israeli company has announced that they had found a way to successfully block hackers from exploiting “multiple critical Ripple20 vulnerabilities,” they said in a statement. The Israeli company Sternum, which works on security for IoT devices, said they used a proprietary embedded integrity verification system (EIV) on the devices in question. EIV is a method of verifying that a file has not been corrupted, and that the file is what it says it is. The new method effectively corrected the vulnerabilities, and is also device agnostic, so would work across machines industries, they said. Sternum also said they are working with “industry leaders” to implement the changes and are expecting more outreach.

Original Article:

Think 2020 is bad? It could get a lot worse: An Israeli firm says a massive software vulnerability could mess with our critical infrastructure.

In this case, this is a vulnerability involving a software company called Treck, Inc.. The Cincinnati-based firm provides software for a range of companies to allow their devices to talk to the internet, powering everything from transportation to medical devices, home security cameras, power grids, aviation, and more. According to Jerusalem-based security research firm JSOF, a range of bugs in Treck’s code would allow a remote hacker to easily gain access to any device using Treck’s software and control it.

“These vulnerabilities are so low level that you can penetrate network security, and firewalls, and take over the device,” said Natali Tshuva, founder and CEO of the Internet of Things security company Sternum. “From that moment, the hacker has remote control and can do anything they want.”

These bugs, which JSOF have named Ripple20, occur when layers and layers of code get wrapped into each other for complex devices. It’s like taking someone else’s Lego tower and using it as the basis to build your own. There might be bad bricks in that person’s Lego, but if it’s a complicated structure, it will be hard to see that.

Power Lines
George Rose / Getty Images

“When you manufacture an IoT device, or a medical device for example, you don’t write the whole code yourself,” Tshuva said. “You take some third-party code for certain things, like communications. A lot of manufacturers, they can’t really assess the quality of the third-party code in their devices, and they have no security solutions to protect against third-party vulnerabilities,”

Most major parties insist that all the Ripple20 holes have already been patch. Treck told Digital Trends in a statement that it was “recently made aware” of JSOF’s research, which Treck “acted upon immediately.”

“Treck has fixed all issues that were reported and made them available to our customers either through our newest code release, or patches,” the spokesperson wrote.

In its rundown, JSOF included the names of more than 70 companies that were either possibly or definitely affected by these software holes. Texas Instruments, which was listed as possibly being affected, told Digital Trends that their products had not been impacted.

Two of the biggest names, Intel and Caterpillar, told Digital Trends that they were aware of the problem and either were in the process of fixing it or had already fixed it. Caterpillar said it had been alerted by the Department of Homeland Security and were working to identify the potential impacts. Intel recommended that everyone keep their systems updated as a good countermeasure.

Treck’s Ripple20 patching problem

Keeping systems updated, especially if most of the devices affected were large industrial or health care-related machines, isn’t as simple as downloading an app and installing an update, said Axel Wirth, chief security office at MedCrypt, which works on cybersecurity for healthcare providers.

In order to update a system, Wirth said, you need first need an approved version of the software from the vendor, and then you need the time to install it, and then get the relevant machines up and running again. For manufacturing or healthcare operations, which often operate 24/7, finding that time is incredibly difficult. Another problem, especially in health care, he said, is that while a software vendor may know who an initial customer is, sometimes that equipment is sold onward.

“After 10 or 20 years, it’s not uncommon when a hospital upgrades that it will sell its old devices to secondary markets,” Wirth said. “At that point, you lost track of where your device is.” That device is likely to be left un-updated, and therefore still vulnerable.

At the end of the day, said Chris Kennedy, chief information and security officer of cybersecurity firm AttackIQ, these kinds of vulnerabilities are never going to leave us. “The focus on the vulnerability is the wrong thing,” Kennedy told Digital Trends. “These systems are complex and poor in quality, and it’s that way so we can keep costs low. Sure you can increase the quality and make things better, but would you pay $200 for an app on your phone?”

Kennedy compared a system vulnerability to a robber breaking into a house. Having a lock on the door is a good deterrent, but after the robber has broken the lock, what else is there? Do you have an alarm system? Is there also a lock and an alarm system on the safe? Are there cameras in the house? Too often, Kennedy said, companies stop their security at the cyber equivalent of putting a wall around the house and then do nothing else.

“Stop trying to build the wall higher, and make sure the front door is locked, and make sure other layers of security are in place when the robber gets in the front door,” Kennedy told Digital Trends.

Maya Shwayder
I'm a multimedia journalist currently based in New England. I previously worked for DW News/Deutsche Welle as an anchor and…
This modular Pebble and Apple Watch underdog just smashed funding goals
UNA Watch

Both the Pebble Watch and Apple Watch are due some fierce competition as a new modular brand, UNA, is gaining some serous backing and excitement.

The UNA Watch is the creation of a Scottish company that wants to give everyone modular control of smartwatch upgrades and repairs.

Read more
Tesla, Warner Bros. dodge some claims in ‘Blade Runner 2049’ lawsuit, copyright battle continues
Tesla Cybercab at night

Tesla and Warner Bros. scored a partial legal victory as a federal judge dismissed several claims in a lawsuit filed by Alcon Entertainment, a production company behind the 2017 sci-fi movie Blade Runner 2049, Reuters reports.
The lawsuit accused the two companies of using imagery from the film to promote Tesla’s autonomous Cybercab vehicle at an event hosted by Tesla CEO Elon Musk at Warner Bros. Discovery (WBD) Studios in Hollywood in October of last year.
U.S. District Judge George Wu indicated he was inclined to dismiss Alcon’s allegations that Tesla and Warner Bros. violated trademark law, according to Reuters. Specifically, the judge said Musk only referenced the original Blade Runner movie at the event, and noted that Tesla and Alcon are not competitors.
"Tesla and Musk are looking to sell cars," Reuters quoted Wu as saying. "Plaintiff is plainly not in that line of business."
Wu also dismissed most of Alcon's claims against Warner Bros., the distributor of the Blade Runner franchise.
However, the judge allowed Alcon to continue its copyright infringement claims against Tesla for its alleged use of AI-generated images mimicking scenes from Blade Runner 2049 without permission.
Alcan says that just hours before the Cybercab event, it had turned down a request from Tesla and WBD to use “an icononic still image” from the movie.
In the lawsuit, Alcon explained its decision by saying that “any prudent brand considering any Tesla partnership has to take Musk’s massively amplified, highly politicized, capricious and arbitrary behavior, which sometimes veers into hate speech, into account.”
Alcon further said it did not want Blade Runner 2049 “to be affiliated with Musk, Tesla, or any Musk company, for all of these reasons.”
But according to Alcon, Tesla went ahead with feeding images from Blade Runner 2049 into an AI image generator to yield a still image that appeared on screen for 10 seconds during the Cybercab event. With the image featured in the background, Musk directly referenced Blade Runner.
Alcon also said that Musk’s reference to Blade Runner 2049 was not a coincidence as the movie features a “strikingly designed, artificially intelligent, fully autonomous car.”

Read more
Apple TV+ just got a price slash that’s tough to resist, and it won’t last long
The Apple TV main screen.

Apple has just quietly announced that it will be slashing the price on its Apple TV+ offering for a limited time deal.

While Apple prices the service at a standard $9.99 per month usually, it has just cut that way down to $2.99 per month.

Read more