Ripple20 contains several vulnerabilities in the TCP/IP library from Treck. The vulnerabilities are primarily found on low-level protocols such as IP, TCP or ICMP. These can be addressed and exploited easily by professional and well-informed attackers. In the case of several Ripple20 vulnerabilities, for example, provoking a buffer overflow is sufficient to introduce malicious data packets and take over the IoT device or paralyze the operating system.

In one case, Rhebo identified such communication in a network. The anomaly detection reported a data packet in real-time that was conspicuous by a malformed ICMP checksum and new functions that were unusual for the network's behavior.

Another attack vector using Ripple20 vulnerabilities is based on modified IP headers. In one project, communications were discovered that contained various header errors, including two checksum errors in the IP and TCP protocols, respectively. This erroneous communication was also detected in real- time and was subsequently stopped.

One of the most dangerous possible attacks based on the Ripple20 vulnerabilities leads to the complete takeover of an IoT device. As early as December 2019, Rhebo detected such an attempt on a device. The attacker had presumably compromised a DNS server at a third-party provider that was used for requests by the IoT devices. A regular DNS query from the customer was answered by the DNS server with a suspicious packet. If successful, the attacker could have taken control of the IoT device. However, Rhebo reported the manipulated response directly as anomalous activity. The operator was able to instantly block it and inform the service provider immediately.