Sunday, June 21, 2020

Dragonfire Demonstrates Ripple20 at Cyber Augusta

Yesterday a team of researchers from Dragonfire Cyber provided a live demonstration of the Ripple20 vulnerabilities at the Cyber Augusta cybersecurity conference in Augusta, GA. Using a mini tank whose drive was controlled by the Robotron MotorSteuerung software, the team demonstrated how the known TCP/IP vulnerabilities could be used to take control of the movements of the vehicle.

 

Kate Libby, a Dragonfire spokesperson, told reporters that this demonstration was originally supposed to be done by company founder Dade Murphy, but due to his current incarceration in Singapore pending possible extradition to China, Dade was not able to make the meeting. “Dade spent two years here in Augusta at Army Cyber Command, so he was very committed to supporting Cyber Augusta,” she told reporters; “The team knew that we had to make this presentation for him.”

 

The mini tank used in the demonstration had US Army Cyber Command markings. There was widespread cheering when it rolled out on stage.

 

A member of the Dragonfire team that was not authorized to speak to reporters told me that the demonstration was particularly interesting because on Friday Robotron published an advisory stating that none of their products were affected by the Ripple20 vulnerabilities.

 

Robotron provided the following statement but refused to answer any questions about the demonstration.

 

“We published the Ripple20 advisory based upon the fact that we had not used the affected TCP/IP stack in any of our products. If the Dragonfire demonstration is an accurate portrayal of an attack on our MotorSteuerung software, then we have to conclude that the vulnerable TCP/IP stack is part of a third-party component of the software. We are in the process of working with the appropriate vendors to try to get to the bottom of the issue.”

 

Immanuel C. Securitage from ECS-CERT said: “Third-party software vulnerabilities are an ongoing problem in the cybersecurity arena. Vendors need to understand the vulnerabilities in the software libraries and components that they use and ensure that they are adequately mitigated when used in their products.” He refused to comment on yesterday’s Dragonfire demonstration.

 

CAUTIONARY NOTE: This is a future news story –


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)