IoT Roundup

IoT roundup: Ripple20 effects and mitigations, more COVID-focused IoT, research on risky devices

nw iot news internet of things smart city smart home7
Getty Images

While there are common design flaws that affect lots of different IoT devices – default passwords, no ability to patch – these are, more often than not, the responsibility of a single vendor.

Not so for the Ripple20 vulnerabilities, which were made public last month by Israeli cybersecurity company JSOF. These vulnerabilities – which include several opportunities for remote code execution – were found in a proprietary lightweight TCP/IP stack that’s used in a huge variety of IoT devices, including industrial-control systems, printers and medical devices.

The issues were first discovered in September 2019 and a patch has since been issued, but actually getting the updated software onto every device affected will be a mammoth undertaking, requiring a lot of work from vendors at several different levels of the supply chain. It can even be difficult to quickly ascertain whether a given company’s devices might be affected, according to experts. No “in-the-wild” exploits are currently known, but it would behoove most companies to delve into their supply chains to find out whether there’s a vulnerability present.

The industry has scrambled to cope with Ripple20, as traditional security scanners aren’t great at identifying security holes of this type. Vendors are moving quickly to integrate Ripple20 detection capabilities into their products, however. Network security startup Ordr has advertised a new suite of Ripple20-focused features for its Systems Control Engine product, for one, and big players including Cisco and Trend Micro have implemented the ability to detect whether the flaw is present.

There’s still no quick-and-easy way to directly patch the vulnerabilities, however, so most authorities urge caution and mitigation – sequestering potentially vulnerable devices on their own network segments could be valuable.

Broadcom sells its IoT division to Synaptics

Synaptics, perhaps best known for making that driver for the touchpad on your laptop, snapped up Broadcom’s wireless IoT division in a $250 million cash deal, the company announced this week.

The deal grants Synaptics the rights to certain Wi-Fi, Bluetooth and global-positioning products that are designed for the IoT market, and the company said that it expects a roughly $65 million bump to its annual revenues. The deal is expected to close in the first quarter of the 2021 fiscal year.

And if that all sounds familiar, that’s because this is actually the second time that Broadcom has developed a wireless IoT business and subsequently sold it off. The company let the previous iteration of its wireless IoT division go to Cypress Semiconductor for $550 million in 2016. Certainly a fact worth remembering for engineers – if you take an IoT-related job with Broadcom, be prepared not to be there all that long.

Forescout on the riskiest IoT devices

Late in June 2020, Forescout released a report detailing, among other things, the most and least insecure types of IoT devices, and the surprising winner is physical-access control systems. The serious potential consequences of a breach involving that type of device, coupled with the frequently open ports and presence of known vulnerabilities, puts them atop the list.

Other IoT devices particularly vulnerable to threats included medical devices, smart-building systems, VoIP phones and networking equipment.

Tech media, and this roundup in particular, spends a great deal of time talking about IoT security, and with good reason. But there are important differences in the severity and impact of the various security flaws out there, so getting a direct comparison is always useful. The full report can be found here.

COVID stoppers in the IoT world

Details about IoT-based efforts to track and prevent COVID infections have been a regular feature of this update since the crisis began, but new technologies keep coming to our attention. Late last month, Taiwan-based CyberLink rolled out a modified facial-recognition system that can detect whether a person is wearing a mask or not. The company’s also working on thermal body imaging and crowd counting systems for its FaceMe product, which can be integrated into retail point-of-sale systems, security cameras and more.