Ripple20: What is it and How Does it Threaten Your IoT Environment?
post-template-default,single,single-post,postid-20962,single-format-standard,bridge-core-1.0.4,mega-menu-top-navigation,ajax_fade,page_not_loaded,,qode_grid_1400,qode-content-sidebar-responsive,wpb-js-composer js-comp-ver-5.7,vc_responsive

Ripple20: What is it and How Does it Threaten Your IoT Environment?

IoT Ripple 2.0

Ripple20: What is it and How Does it Threaten Your IoT Environment?

With the rapid growth in the Internet of Things (IoT), the potential threats to device security are alarming. According to Transforma Insights, the IoT Total Addressable Market (TAM) will expand to 24.1 billion devices by 2030, producing annual sales of USD 1.5 trillion. With such huge growth comes increased concern regarding the security of IoT networks.

Ripple20 – What is the Threat?

Security researchers from JSOF have discovered 19 security issues—called Ripple20—that are affecting the low-level TCP/IP software library developed by Treck. The IoT Stack is combined into millions of devices utilized in smart home devices, energy grid equipment, healthcare systems, industrial gear, transportation systems, printers, routers, manufacturing equipment, and more. These security threats could potentially impact businesses from virtually every industry segment.

The security issues discovered by JSOF are believed to enable intruders to avoid network address translation (NAT) and firewalls and to remotely control devices without requiring any specific permission from users. There is a significant risk that devices that utilize the Stack library will remain unpatched due to complicated or untracked software supply chains.

The key issue is that the library is not only used by equipment suppliers but also incorporated into other software suites. This means that many organizations do not even know that they are using this specific piece of code. The risk is compounded by the fact that the insecure library name does not appear in their code.

Ripple20 – Four Critical Weaknesses

Ripple20 has a total of 19 weaknesses, four of which are considered critical with a rating greater than 9 in the CVSS severity scale. These should be addressed immediately as they can be exploited for arbitrary remote code execution (RCE), denial of service (DoS) attacks, and information exposure.

The most severe vulnerability is CVE-2020-11901 which can be triggered by replying to a DNS request from the device and may lead to remote code execution. A sophisticated attacker may be able to use this vulnerability to take over a device from outside the network through DNS cache poisoning. The attacker will need to hijack the hostname resolution of the device by manipulating its DNS server or spoofing a valid IP address like a system update server.

You can see the full list of Ripple20 weaknesses and their information on the JSOF web site here.

Solutions to the Problem


Fortunately, there are things we can do to protect our IoT ecosystems. Those safeguards would include the following:

  • Apply updates: Update to the latest stable version of Treck IP Stack software ( or later). Please contact Treck at Users of devices that include Treck IP Stacks should reach out to their device vendors for support and updates if available.
  • Apply security best-practices: Device users and IoT ecosystem security managers can apply a variety of security measures that can help protect against cyber-attacks. JSOF has provided a list of possible mitigation options that you can reference here.

Leveraging the benefits of MicroAI(TM): As part of your long term solution you can utilize MicroAI™ to detect real-time IoT security threats and to automatically send alerts to key stakeholders. This provides a level of visibility and automated reaction that gives you confidence in knowing that your IoT environment is secure.