Yet another problem in IoT security
A SLEW OF FLAWS have been found in 13 small office/home office (SOHO) routers and network attached storage (NAS) devices, which could leave millions vulnerable to hacking.
Discovered by Independent Security Evaluators (ISE), some 125 different security vulnerabilities were found in the 13 devices from the likes of Synology, Zyxel, Lenovo, Netgear and Xiaomi. The research has been dubbed SOHOpelessly Broken 2.0; see what they did there.
The researchers from ISE noted that these devices all contain at least one web application vulnerability that could enable a hacker to gain administrator access to a device or remote shell access, thereby allowing for the remote compromise of the devices.
“We obtained root shells on 12 of the devices, allowing complete control over the device including six which can be remotely exploited without authentication: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU,” the researchers explained.
Before conducting their hacking experiments, the security-savvy folks ensured the devices they were testing had the latest publicly available firmware and then tested in an “out-of-the-box” configuration.
The research followed a four-step process that involved reconnaissance of information about the devices, then “service enumeration” which looked at the default services on the devices, which fed into a process to gain access to the device and subsequently develop an exploit for the flaws discovered. From doing this, the boffins found all 13 devices vulnerable to some form of hacking.
The vulnerabilities have been disclosed to the companies involved with most being responsive and acknowledging the flaws, though some were apparently more tricky to get hold of and thus the flaws were made public.
The researchers seemed to aim blame for the flaws at the lack of strong security around internet of things (IoT) devices.
“The growth of security awareness through programmes such as bug bounties may result in vulnerabilities being patched, but their existence in the first place is troubling,” the researchers said.
“Trivially exploited OS CMDi vulnerabilities, for example, are common in the devices we researched. Such flaws would be considered unacceptable in modern web applications in non-IoT environments. Patching vulnerabilities after the device release is also problematic. It is likely that a significant number of devices are deployed and never updated afterwards. These devices will be vulnerable to any publicly-disclosed issues, even if patched firmware is made available.”
The researchers offered no solution to such problems, but we’d suggest you make sure you get a router and other IoT devices with solid security built-in, or at least be prepared to roll your sleeves up and make sure your own routers and NAS setups are as secure as they can be. µ