Millions of smart home, networking, and other so-called Internet of Things devices, such as HP and Samsung printers, and even the IT management components of enterprise-grade PCs using Intel CPUs, are vulnerable to hacking via the Internet vulnerable to hacking via the Internet.

Researchers at Israeli cybersecurity firm JSOF found 19 separate vulnerabilities in a small 20-year-old TCP/IP stack (a library of networking software code) developed by US-based Trek Inc.

Collectively known as "Ripple20," these flaws "affect hundreds of millions (or more) of devices and contain multiple remote code execution vulnerabilities," JSOF explained on its website yesterday (June 16).

In layman's terms, this means that an attacker could potentially install and execute malware on billions of devices via the Internet. It is even easier if the attacker manages to enter the same local network as the targeted device. [Data could be stolen from printers, the operation of infusion pumps could be altered, and industrial controls could malfunction. Attackers can keep malicious code hidden in embedded devices for years."

In a video posted on YouTube, JSOF CEO Shlomi Oberman shows how a small miniboard computer can hack into an uninterruptible power supply (UPS) using the Ripple20 vulnerability.

Since UPS devices power medical infusion pumps, HP's small office/home office printers, and lamps, if the UPS goes down, the other devices go down as well.

In the video, the brand name has been withheld at the vendor's request, but it is clear that the UPS device appears to be an APC Smart-UPS C 1500 (made by Schneider Electric) and the printer is an HP OfficeJet 8720.

The security advisory for the Ripple20 flaw was released yesterday by the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Directorate and Computer Emergency Response Team (CERT) Coordination Center.

According to JSOF, the flawed TCP/IP stack exists in industrial, medical, smart home, networking, enterprise, and retail devices, as well as embedded devices found in the transportation, aviation, government, and energy industries.

Other security advisories have been issued by the Japanese and Israeli government CERTs, as well as by embedded device manufacturers Caterpillar, Rockwell Automation, Green Hills, B. Braun, and Schneider Electric.

HP issued an advisory on the Ripple20 flaw in about 90 different HP and Samsung-branded printers and said it has updated most firmware. Intel issued an advisory regarding Ripple20 defects in its CSME, SPS, TXE, AMT, ISM, and DAL computer management software.

More than five dozen other vendors' devices, including Broadcom, Cisco, Dell, GE, Honeywell, Nvidia, and Philips, may also be vulnerable. [The flawed TCP/IP stack dates back to 1997 and has since been forked into two development paths managed by different companies.

Most of the advice is addressed to device manufacturers and their industrial and corporate clients, and basically consists of upgrading the firmware and software of the device to include the latest version of Trek's TCP/IP stack.

(Oberman told ZDNet that when his company contacted Track about the defect, Trek initially thought the notice was an attempt to extort it.)

Unfortunately, it is not clear what owners of smart home devices and other consumer devices can do other than install software and firmware updates, if any, provided by the device's manufacturer.

According to JSOF, the Ripple20 vulnerability is so pervasive because the Treck variant of the TCP/IP stack is used by so many embedded device manufacturers.

"A single vulnerable component, even a relatively small one in itself, can ripple out and affect a wide range of industries, applications, companies, and people," the JSOF report states. The affected vendors range from one-man boutiques to Fortune 500 multinationals."

Unfortunately, identifying which devices are vulnerable to the Ripple20 flaw is not that easy; JSOF "will provide, upon request, a script to identify the products running Trek," said JSOF at ripple20@jsof-tech. com, providing a contact email address, but it is not clear who will be able to see that information.

The JSOF research team will present more details at the Black Hat USA (virtual) security conference this August, but you can read the technical white paper on the Ripple20 flaw now.