Popular consumer and enterprise routers, IoT devices contain remote access vulnerabilities

A new study reveals vulnerability rates are not decreasing in our connected devices -- far from it.
Written by Charlie Osborne, Contributing Writer

As our devices become smarter and Internet-connected, the potential attack surface for cyberattackers increases. 

It is not possible for any machine or device with Internet connectivity to be 100 percent secure from exploit. Firmware, hardware, and connectivity protocol-based vulnerabilities which can be used to hijack devices and their functionality are discovered on a daily basis, and when it comes to Internet of Things (IoT) products, vendors are yet to fully introduce security at the heart of development. 

In 2013, research firm Independent Security Evaluators (ISE) published a study, SOHOpelessly Broken 1.0, which revealed a total of 52 vulnerabilities across 13 SOHO wireless routers and NAS devices offered by vendors including Belkin, TP-Link, Asus, and Linksys. 

See also: Hey Google: What we search for most in cybersecurity .. cyber security?

In a follow-up study, ISE says an examination of today's popular routers and NAS products has resulted in over double the number of security problems and vulnerabilities being discovered in 13 IoT consumer and enterprise-grade devices, resulting in the submission of 125 CVEs. 

The cybersecurity researchers say in the SOHOpelessly Broken 2.0 report that it is likely "millions" of end-user devices are impacted by the findings. 

In 12 out of 13 cases, ISE managed to exploit the routers and NAS devices to obtain remote, root access. Vulnerabilities found included buffer overflow issues, cross-site scripting (XSS) errors, command injection security flaws, XSS request forgery, and SQL injection problems. 

CNET: Spotify wants to know where you live and will be checking in

According to the cybersecurity firm, each device evaluated included at least one vulnerability that could be exploited for remote shell access or to gain unauthorized access to administration panels. In total, six devices were susceptible to remote exploit without authentication. 

ISE contacted the impacted vendors with their vulnerability reports and proof-of-concept (PoC) code. The majority of companies contacted accepted the reports and three worked directly with ISE to mitigate the security issues. However, several vendors are yet to respond to the researcher's findings. 

"Our results show that businesses and homes are still vulnerable to exploits that can result in significant damage," says ISE researcher Rick Ramgattie. "These issues are completely unacceptable in any current web application. Today, security professionals and developers have the tools to detect and fix most of these types of issues which we found, exploited, and disclosed six years ago. Our research shows that they are still regularly found in IoT devices."

TechRepublic: Cybercriminals set sights on bot attacks and mobile apps

The state of our IoT security does not seem to have improved whatsoever despite efforts to streamline vulnerability disclosure practices and the launch of bug bounty programs. 

Every week, new attack vectors against our connected devices are being developed. Trend Micro researchers recently found, for example, that underground forums are facilitating the discussion of ways to attack Internet-connected gas pumps and smart meters. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards