Ripple20 Vulnerabilities: A major risk for IoT Medical Devices

Medical device security risks: 19 vulnerabilities called Ripple20 have been uncovered by researchers at JSOF. These flaws impact the TCP/IP communication stack found in hundreds of millions of connected devices. The key takeaway is that Ripple20 has extensive impact, magnified by the supply chain factor. The wide-spread adoption of the software library (and its internal vulnerabilities) is a natural consequence of the supply chain "ripple-effect"

The healthcare sector is prone to a host of risks plaguing its IT systems and networks. These new vulnerabilities discovered by JSOF add to those woes, calling for holistic risk governance in healthcare organisations. 

• Flaws are in the widely used low-level TCP/IP software library developed by Treck and include multiple remote code execution vulnerabilities. Treck is an Ohio-based developer of low-level network protocols for embedded devices. 
• Most of the flaws are caused by memory management bugs.
• These high risk vulnerabilities could allow an attacker to perform a host of malicious activities, such as stealing data, implacting the functionality of an infusion pump or causing a device to malfunction.
• Four of the flaws are ranked as critical. Two are listed at the highest security level. Two are ranked as 9.0 out of 10. One flaw could caus an information leak with a severity rank of 9.1. 
• An exploit could allow a hacker to gain access from outside the network. 
• Research shows that vulnerabilties are in critical IoT devices from a range of sectors, internal vendors supporting medical and enterprise industries, among others. 
• Many sectors could therefore be affected by these device flaws, including the government and national security sectors. However, the full impact is hard to calculate given that some impacted vendors also distribute software based on Treck's design. 
• While a single vulnerable component may be relatively small, it can ripple outwards to impact a wide range of industries, applications, companies and people. 
• All of Treck’s customers were notified of the flaw, while the company did release patches for the list of flaws discovered by JSOF. But given the spread of the impacted software, it’s likely these flaws will persist—with some remaining unpatched—for the foreseeable future.
• In addition to performing a proper impact analysis and risk assessment and prior to employing other defensive measures, organisations should minimize network exposure for all control system devices and or systems and make sure they’re not accessible to the internet. IT administrators should locate control system networks and remote devices behind firewalls, while isolating them from the enterprise network. If remote access is required, secure methods should be leveraged for access, such as the use of a Virtual Private Network (VPN). It is also important to recognise that VPN is only as secure as the connected devices, advising the use of an internal DNS server that performs DNS-over-HTTPS for lookups.

PANACEA Research perspectives: The PANACEA market analysis has showed that the medical IoT market is expected to reach a double digit CAGR of 41.38% during the period 2019-2028. According to Deloitte, the mIoT market in Europe alone is expected to grow from 11 billion in 2017 to 40 billion in 2022, while the European medical technology market was estimated at roughly 115 billion in 2017. The European regulatory framework ensures the safety and efficacy of medical devices and facilitates patients’ access to devices in the European market with a new regulation coming into force in May 2021 to ensure better protection of public health and patient safety. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC

Lookout Watch entry date: 14.01.2020