Don’t be lulled into a false sense of security by that shiny new router or network-attached storage (NAS) device – the chances are that it’s no more secure than its predecessors. That’s the finding from a new piece of research that tested multiple devices for security bugs.
In 2013, Baltimore-based security consulting company Independent Security Evaluators (ISE) tested 13 small office/home office (SOHO) routers and wireless access points. It found 57 security bugs and was able to take over 11 of them from outside the local network. No wonder it called its report SOHOpelessly Broken.
So, the industry would have taken this to heart and enhanced its security in the last six years, right? Wrong.
In its update to the test, called SOHOpelessly Broken 2.0, ISE tested another 13 devices, some from the same vendors and some new. They found more than double the number of flaws, filing 125 CVE bugs based on their research. This time around, it got remote root access on 12 of the devices.
The team tested equipment from ASUS, Buffalo, Drobo, Lenovo, Netgear, QNAP, TerraMaster, Seagate, Synology, Xiaomi, Zyxel, and Zioncom.
Typical attacks included bypassing authentication mechanisms altogether. On one device, the team was able to hijack a cookie authentication system by changing the IP address to 127.0.0.1 and issue unauthorized requests via the API.
The project found that some things had changed since 2013, and others had not. Device vendors had taken newer steps to try and protect their software. For example, several used address-space layout randomization (ASLR), which randomizes the memory that programs use and is supposed to make memory-based attacks like buffer overflows difficult. However, they could exploit other flaws to break ASLR and launch their buffer overflow attacks anyway.
One device encrypted the PHP files used to process requests through its web interface but had to store the decryption key on the device, which the team used to access the files and exploit those using PHP’s system() function, gaining shell access.
This comment from the report suggests that the manufacturers were running before they could walk:
Perhaps more interesting is the amount of approaches that have not changed since SOHOpelessly Broken 1.0. Features such as anti-CSRF tokens and browser security headers, which are commonplace in mainstream web applications, are still rare among our sample of devices.
If companies had implemented these basic protections, then the team wouldn’t have been able to hack them, it said.
ISE tried several kinds of attack, often stringing them together to successfully exploit the device. The most successful were cross-site scripting (XSS) and command injection, which are old categories of attack that should be well understood by firmware developers.
Based on the research, Synology seems to come out on top, as its DS218J, a device that ISE included in the 2013 test, didn’t show up in any of the broad attack categories and had the fewest CVEs at just two: a session fixation bug in its Photo Station application and the ability to determine metadata of arbitrary files (both medium severity).
Synology also responded promptly to ISE’s bug reports, which isn’t something the company was able to say about all manufacturers. Some vendors’ methods for handling bug reports had improved in the last six years, and others hadn’t.
In 2013, none of the manufacturers tested had bug bounty programs. Today, Netgear, Synology, Xaomi and QNAP all have bug bounty programs, the report said.
Unfortunately, reporting bugs to several companies was a headache. The researchers got either no co-operation or no response at all from some.
What does all this mean for consumers? The report says that when buying a device, you should look for a history of security vulnerabilities with its vendor, along with how long it takes to fix them.
You should also avoid using the device with the default configuration. Turn off features that you won’t use, especially remote access features. Also, regularly search for patches from that vendor and apply them. Don’t rely on this to happen automatically. As the report pointed out:
It is likely that a significant number of devices are deployed and never updated afterwards. These devices will be vulnerable to any publicly-disclosed issues, even if patched firmware is made available.
ppalias
Even better, buy yourself an OpenWrt friendly device and change the firmware.
Pete
Has an OpenWrt router been evaluated for security issues?
If so, is there one compatible with Suddenlink?
I have a Netgear C3700-100NAS cable modem / router I use with Suddenink. The problem is that Suddenlink will only upgrade firmware on devices provided by Suddenlink.
ppalias
Not from what I know and quickly searched online. However OpenWrt is the OS, so it’s not necessary to evaluate some particular router. Current version runs on about 950 models, so you pick the one that suits your needs and flash it over the factory firmware. Other than that, it ships with bare minimum and tight security options, letting the user decide how much to expose. Servers and applications are popular open source projects, which get patched when there is some vulnerability.
For cable or other modems which are not so common, the best solution is to bridge them and connect a dedicated router which will handle the wan protocol.
Danny Bradbury
The research didn’t cover OpenWrt, sadly. It would be really interesting to see how well this stood up against the vendors’ proprietary firmware. Perhaps it’s worth mailing ISE to suggest this.
jim
So, what exactly does Sophos recommend to avoid/fix/correct this problem? Warning everybody that they’re screwed is only helpful if you point them to safe and useful alternatives.
Yes, I know that you report one company (Synology) performed fairly well (as opposed to all the others listed) but does that mean that an install/upgrade should only be to Synology’s products?
Mahhn
So is a solution to put the Sophos FREE firewall in front of, or in place of the poopy routers?
Paul Ducklin
For the average home network you will probably still need your SoHo router for the DSL or cable modem it provides, so it will still be the last step between your computers and the internet (or the first step for someone coming inwards).
But you could put a Sophos free firewall *inside* it, turning your router firewall features off and basically turning it into a modem.
If you do this then you obviously won’t be able to use your router as your Wi-Fi access point any more, or else your access point would be outside your firewall. So you would need to bring your own wireless network card to the party too.
Simply put, if you want to add your own firewall to remove your router from the equation as much as you can, try treating the router as if it were managed by your ISP (or even operated by them on their own premises), and get it to do the minimum needed just to get connected to the internet.
Pete
So am guessing this would work from outside in: cable modem (bridged), free Sophos firewall running on old laptop (with 2 Ethernet ports, one via a USB 2.0 to 10/100 Ethernet adapter), wireless router. Hopefully the Sophos SW on the laptop could be managed from inside the network since that laptop would not be in a convenient location.
Paul Ducklin
Exactly. Or you could plug a wireless dongle into the Sophos firewall to get wireless, assuming the Sophos kernel has a driver for it.
(We sell a range of access points for our own hardware – we used to sell a product called the Sophos AP5, which is a cool-looking USB Atheros device with an external antenna. It was never very popular so was discontinued – I have an old one, still carry it around as a backup wireless device. 2.4GHz only but being Atheros it pretty much works with everything :-)
Pete
As mentioned above I use a BYO Netgear cable modem on Suddenlink – but it is only flashable via Suddenlink and they will not upgrade firmware on a BYO modem. But IIRC (it’s been a while since I played with it) I can configure that cable modem as a bridge so I could put whatever I want on my side of the cable modem. Can I assume that will be a big step in improving my security exposure? Looking for suggestions as to how to proceed (HW/SW). TIA.
ppalias
In order to improve your exposure, you first need to know how exposed you are. You might as well not be.
One cannot suggest HW/SW without proper knowledge of many parameters (users, usage, budget, ability to configure more complicated routers).
There are some keywords here, do your research and decide what is best for you.