Threat Intelligence: Ripple20 Puts Healthcare IoT at Particular Risk

Cynerio
News
Jun 17, 2020

The Ripple20 threat (CVE-2020-11896/CVE-2020-11898) announced by JSOF on June 16, 2020 impacts over 50 vendors and hundreds of millions of connected devices across a spectrum of industries. Healthcare organizations are at particular risk since clinical networks are home to inherently-vulnerable connected medical devices and scores of nonmedical IT/IoT and OT devices.

What Is Ripple20?

Ripple20 is a series of 19 critical vulnerabilities in the Treck TCP/IP stack, a software library commonly built into devices or embedded in third-party components of operating systems. Many device manufacturers and organizations affected by the vulnerabilities might not be aware they're vulnerable because they don't know their devices contain the library.

What Is Ripple20’s Impact on Health Care?

Because Ripple20 vulnerabilities can directly jeopardize patient safety, they pose a distinctly serious threat to healthcare organizations. Flaws in the stack enable remote code execution and allow attackers to take total control of targeted medical and IoT devices. 

This can lead to the exposure and theft of PHI, a Denial of Service attack and clinical network shutdown, and even tampering with device functionality to interfere with medical treatment (think tampering with dosages of medicine delivered by infusion pumps, or radiation levels delivered by radiology devices). 

Devices Affected in Clinical Environments

Ripple20 vulnerabilities are embedded in Treck's TCP/IP Internet protocol suite library. Because the library can be incorporated into larger libraries, used as-is, or reconfigured, it is commonly built into the source codes of a wide variety of medical and nonmedical devices. 

Many of these devices are critical to clinical workflows and patient care delivery:

  • Baxter, Sigma series and B. Braun infusion pumps
  • CareStream Radiology devices
  • Schneider APC/UPS devices
  • Digi capsule connectivity engines
  • HP and Ricoh printers

Many undiscovered devices might contain the vulnerable code. However, due to generations of rebranding, formatting, and editing on the part of manufacturers, the original source library remains unidentified, effectively leaving scores of devices unwittingly exposed. Because of the library’s untraceability, there may actually be billions of undiscovered devices compromising networks around the world.

Mitigating the Threat

Trek released an update for the TCP/IP stack affected by Ripple20. The new software library (6.0.1.67) can be installed to patch affected devices and address the vulnerabilities. However, patches are released by vendors, leaving devices and their networks exposed until the patch is prepared and installed. In many cases, the vendor responsible for the device component affected by the library can’t be identified, rendering the device unpatchable. Other devices may not be able to be patched at all (i.e. legacy devices with unsupported operating systems).

How Can Cynerio Help?

Hospitals can have tens of thousands of devices on their networks and scoping out those affected by Ripple20 and applying compensating controls manually can be quite the challenge. 

Cynerio expedites these processes with automated solutions:

  1. Full device inventory (including model, OS, medical criticality, vendor, and location) conducted in a matter of minutes.
  2. Ongoing identification of affected devices that details the scope of exposure to Ripple20 vulnerabilities as more vulnerable devices join the network.
  3. Define and enforce custom segmentation policies. This is often the only way risks associated with unpatchable devices can be mitigated. In healthcare environments, downtime and disconnection isn't an option. Segmenting devices protects them from threats and simultaneously ensures uninterrupted services and continuous patient care.

To schedule a free risk assessment and learn which devices on your network are affected by Ripple20 and other vulnerabilities, contact us today.