Incident Of The Month: Ripple20 Exploits

IoT devices are notorious for their lack of cybersecurity. In June 2020, a number of existing and widespread vulnerabilities became known, grouped together under the name Ripple20. An analysis of our findings from past and current projects suggests that some of the activities identified by Rhebo on IoT devices and in industrial networks are related to these vulnerabilities. The “Incident Of The Month” summarizes the highlights.

Finding #1: Malformed Data Packages

Rhebo Industrial Protector ICMP Invalid

Ripple20 contains several vulnerabilities in the TCP/IP library from Treck. The vulnerabilities are primarily found on low-level protocols such as IP, TCP or ICMP. These can be addressed and exploited easily by professional and well-informed attackers. In the case of several Ripple20 vulnerabilities, for example, provoking a buffer overflow is sufficient to introduce malicious data packets and take over the IoT device or paralyze the operating system.

In one case, Rhebo identified such communication in a network. The anomaly detection reported a data packet in real-time that was conspicuous by a malformed ICMP checksum and new functions that were unusual for the network's behavior.

Finding #2: Erroneous Header

Another attack vector using Ripple20 vulnerabilities is based on modified IP headers. In one project, communications were discovered that contained various header errors, including two checksum errors in the IP and TCP protocols, respectively. This erroneous communication was also detected in real- time and was subsequently stopped.

Rhebo Industrial Protector IP Header Error

Finding#3: Attempted IoT Device Capture

Rhebo Industrial Protector DNS invalid

One of the most dangerous possible attacks based on the Ripple20 vulnerabilities leads to the complete takeover of an IoT device. As early as December 2019, Rhebo detected such an attempt on a device. The attacker had presumably compromised a DNS server at a third-party provider that was used for requests by the IoT devices. A regular DNS query from the customer was answered by the DNS server with a suspicious packet. If successful, the attacker could have taken control of the IoT device. However, Rhebo reported the manipulated response directly as anomalous activity. The operator was able to instantly block it and inform the service provider immediately.

Overall Protection of ICS and IoT from Cyberattacks and Error States

With dedicated monitoring solutions, Rhebo protects both industrial control systems (ICS) and connected IoT devices against cyberattacks, manipulation and technical error states.

Anomaly detection and automated threat prevention ensure integrated cybersecurity of industrial automation networks and distributed IoT devices in the global IoT network.