“If Ripple 20 teaches us anything, it’s that the old rules about updates and explo its will not wash anymore”
I know I’m becoming a grumpy old man (grumpier – Ed). My tolerance for manufacturers that deliver poor products is getting smaller by the year. I haven’t yet got to the point of going nuclear with a company over the shoddy products that they ship, but I came close recently.
Much of this upset comes down to the way that companies are handling security issues, especially fixes in firmware. The inescapable reality is that new security exploits are found all the time – one of this summer’s treats has been the Ripple20 set of exploits, which was found by JSOF (jsof-tech.com/ripple20).
In essence, JSOF found 19 vulnerabilities, including multiple remote code executions. What was special about Ripple20 was the way in which it got out into the wild. The back story here is that these exploits were present in a low-level TCP/IP software library developed by a company called Treck Inc. This library was incorporated into a huge range of products by developers, who essentially bought it as an off-theshelf component and put it into their products. I’m sure there are vendors who aren’t even aware that the Treck stack was used in their products, especially if they outsourced their software and firmware development to a third party.
Now for the scary part: the best estimates put the number of exposed devices into the billions. Not millions, billions. Treck has released an updated library (version 6.0.1.67 or later) without the issues, which can be compiled up into a new software
You’re reading a preview, subscribe to read more.
Start your free 30 days