So I’ve been trying to write a post on Ripple20. Quite unsuccessfully I might add. To explain what it is I need to immediately start talking about things like implementations of the TCP/IP communications stack. Or I can forget the tech details and just write about the implications. Neither is appealing.
And I don’t know that I can write about the implications without sounding like the sky is falling. Maybe it is. Maybe it has mostly fallen.
When the Cybersecurity & Infrastructure Security Agency (which was apparently named by the Department of Redundancy Department at DHS) says things are bad with medical devices, well things are not good. Ripple20 vulnerabilities affect IoT devices across all industries.
More than a dozen vulnerabilities, collectively named Ripple20, affecting the TCP/IP communication stack used in hundreds of millions of embedded devices paint a grim scenario for connected gadgets.
Some of the flaws are critical and can be exploited to gain remote control of all vulnerable devices on the network. They impact such a wide spectrum of products from so many vendors that it is easier to count those that are not affected.
Some of the stacks will be implemented in such a way as updating/replacing them will simply not be possible. Most will not be updated because of vendor and end-user apathy. I’m sure most reputable vendors, for things like medical equipment, will provide updates eventually. But medical equipment needs to be vetted by the FDA, and that won’t happen tomorrow.
So here’s some info on the problem as of the 24th. List of Ripple20 vulnerability advisories, patches, and updates.
If you have IoT devices in your home, and they are not keeping you alive, you might want to get rid of them, unless you can verify that they are not impacted. Good luck with that, because some of the vendors have gone out of business. The TCP/IP stack code, written in C is over 20 years old. (Do you know which TCP/IP stack implementation is in your color-changing light-bulbs that are so fun to change with your smartphone?) If you have stuff that is important, put it on a segmented network, and try to see what the vendor has to say.