The New (Old) Ripple20 Vulnerability Threatens Printers and Other IoT Devices

Threat Grows as Employees Work from Home for the Foreseeable Future



Jamie Bsales


The work-from-home “new normal” continues into the summer and beyond; quintessential  Fortune 500 company IBM has stated that the company has no plans to rush most of its 350,000 employees back into the office anytime soon. This means document and device security will continue to be top-of-mind. In fact, in a recent survey by InnovateMR of 1,000 US-based employees working remotely, 43% of respondents reported that “unprotected devices accessing company data” was the biggest security risk for companies. And under the heading of, “When it rains, it pours,” there is a newly uncovered security vulnerability possibly lurking in hundreds of millions of Internet-capable devices sold over the past 20-some-odd years—printers and other IoT (Internet of Things) devices home-based employees rely on included.


Among the security issues cited by remote employees in a recent survey, unprotected devices was tied for first.



First, some background. When developing a product, software engineers don’t typically write every line of code from scratch; they license off-the-shelf code libraries to execute common tasks. (I mean, why reinvent the wheel, right?). So as the Internet became a thing and enabling devices to access it became essential, many product developers turned to a handy library from Cincinnati-based software company Treck for its lightweight, proven code stack that enabled Internet access via TCP/IP connections.


Fast forward 20 years to the fall of 2019, and ethical hackers from cybersecurity firm JSOF decided to take a close look at this nearly ubiquitous (and seemingly innocuous) bit of code that kept turning up in everything from printers and routers to medical devices to controllers that run the power grid. Turns out, this Treck library is riddled with security holes…19 to be exact (any numerology experts out there care to take a crack at all this?). While some are minor, four of them have earned a rating of 9.8 or higher on the US Department of Homeland Security’s 10-point vulnerability severity scale.


To demonstrate what could happen in the real world, JSOF plugged various devices into a popular uninterruptible power supply (UPS) used to protect equipment from power surges and provide battery backup in the event of a power failure. One of the connected devices was a medical infusion pump. JSOF then used a miniboard computer to hack into the UPS and, exploiting one of the Ripple20 vulnerabilities, turn off the UPS...and the attached infusion pump. Not good for the person who might, in turn, be attached to that infusion pump.


Device manufacturers are scrambling to patch the security holes in the library and are posting firmware updates for products as fast as they can. HP, for example, has updated the firmware for about two dozen HP- and Samsung-branded printers that use the suspect library. But given the sheer number of products affected and the amount of time that has elapsed since they were manufactured, it is unlikely that 100% of these vulnerable devices will be remediated.


Unfortunately, there is no way for IT admins or end users to determine if their devices use the vulnerable library. So the best way to protect yourself (aside from unplugging from the Web entirely) is to make sure your devices have the latest firmware updates on an ongoing basis.