The picture it paints of routers and the so-called ‘smart’ devices that make up the rapidly expanding Internet of Things (IoT) is not pretty.
The researchers sum up their findings as follows:
“Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries. This research project aimed to uncover and leverage new techniques to circumvent these new security controls in embedded devices.”
The research team investigated several SOHO routers and NAS devices offered by a range of manufacturers, including:
- Asustor (a subsidiary of ASUS)
Sadly, devices from every manufacturer listed above had at least one web app vulnerability that could allow a remote attacker to gain access to the administrative panel of the device in question. Worse, the researchers reported that they were able to obtain root shells on 12 of the devices, giving them complete control. In six cases, they were able to gain complete control remotely and without authentication.
The most at-risk routers the group tested are the:
- Asustor AS-602T
- Buffalo TeraStation TS5600D1206
- TerraMaster F2-420
- Drobo 5N2
- Netgear Nighthawk R9000
- TOTOLINK (Zioncom) A3002RU
Since the publication of the SOHOpelessly Broken 1.0 report, the research team did say that the general state of security on IoT devices had improved somewhat. That’s a low bar given the sorry state of IoT security to begin with. While things have no doubt improved, there are still miles to go before IoT security could be called anything approaching robust.
In fact, many of the IoT devices being sold today still lack basic web application features like browser security headers and anti-CSRF tokens. Until these kinds of issues are addressed, the conclusions fronted by the SOHOpelessly Broken 3.0 report won’t be much better than they are now.