‘Ripple’ effect: Flaws found in protocols impact everything from printers to infusion pumps
Treck Inc. may be one of the most important software companies you’ve never heard of. Engineers at the Cincinnati-based company build networking protocols that end up in everything from HP printers to medical devices made by Baxter International, a Fortune 500 company.
That core software, however, contains no less than 19 vulnerabilities, at least two of which could let hackers remotely commandeer devices running the code. That was the verdict made public on Tuesday by researchers from Jerusalem-based security company JSOF after months of studying Treck’s code.
The discovery highlights how obscure companies can have an outsize impact on the supply chain security of software products around the world. It also shows how painstaking the act of locating and patching vulnerable devices can be.
The further that JSOF researchers dug, the more devices they found running the Treck software. The footprint of devices grew so big that JSOF called in Forescout Technologies, a California-based IoT security firm, to come up with a tally. Forescout estimates that some 30 different vendors could be affected, a number that may grow as the investigation continues. The list of affected companies already includes big names: chip manufacturer Intel, French energy software company Schneider Electric and industrial automation company Rockwell Automation.
JSOF CEO Shlomi Oberman said there was a “ripple effect” by which the vulnerabilities transferred from one vendor to another through mergers and acquisitions, and software construction. (The class of bugs is called “Ripple20.”) That means that tens of millions of devices could be affected by the bugs, JSOF claims.
“It’s been very difficult to track the supply chain up and down, and understand who’s vulnerable, how they’re vulnerable, who they got the code from, et cetera,” Oberman said. “In some of the cases, the vendors ceased operations or the stack is embedded as a component and it’s very, very difficult to patch the vulnerabilities.”
In an emailed statement, Treck Vice President of Sales Denny Davis said the company had fixed all of the vulnerabilities and made those fixes available to customers.
Applying those patches, however, will be easier for some vendors than others. Some of the code is deeply embedded in systems, and some devices can’t be easily updated without interrupting the processes they support.
JSOF’s findings are reminiscent of the slew of bugs that another set of researchers revealed last year in code running on operating systems used at medical and industrial organizations. The buggy code had been around over a decade and was inherited by Wind River after the company acquired Interpeak in 2006. In that case, too, the process of identifying and sealing off the vulnerable software was cumbersome. Nearly a year later, vendors are still discovering the impact of those vulnerabilities and publishing security advisories, said Daniel dos Santos, research manager at Forescout.
The JSOF researchers will present their findings in August at the virtual Black Hat hacking conference. But between now and them, more affected devices could be discovered.
“Although Treck has contacted their immediate customers, there is still a long tail of potentially affected vendors and devices to be discovered,” Forescout said in its analysis of the research.
