Reverse Engineering archeology : Reverse engineering multiple devices with multiple versions , to put together a complex puzzle presented at CODEBLUE2020 2020

by Shlomi Oberman, Moshe Schön,

Summary : Ripple20 is a series of zero-day vulnerabilities discovered in a widely used low-level TCP/IP software library developed by Treck, Inc and disclosed by JSOF in June 2020.This session focuses on the original research process used to identify and pinpoint the Ripple20 vulnerabilities, their variants, and some attempts to piece together the historical timeline showing how the original software library changed over time. This was a complex process of reverse engineering multiple devices simultaneously, working in parallel on many different levels.For some of the devices we had to start our research by reverse engineering the firmware update package format such as with HP printers firmware updates. For others, we had to find which processor and memory model was used, and work with architectures seen less often. In total we worked with 6 different devices and multiple versions.We found that some vendors made changes to the underlying TCP/IP code, compiled it differently, or used different parts resulting in end- products with different vulnerabilities and different versions of the same vulnerabilities.In this session we will describe how we reverse engineered the devices simultaneously, using comparative techniques to confirm each point. We will explain an interesting outcome of the supply chain ripple effect, and how it is now possible to find a vulnerability affecting hundreds of devices for near zero effort.This research method, and the Ripple20 research in general highlight the importance of update mechanisms and patches for all devices on the market, no matter where they are located or embedded.