Common storage and router devices are still hopelessly broken

Don’t be lulled into a false sense of security by that shiny new router or network-attached storage (NAS) device – the chances are that it’s no more secure than its predecessors. That’s the finding from a new piece of research that tested multiple devices for security bugs.

In 2013, Baltimore-based security consulting company Independent Security Evaluators (ISE) tested 13 small office/home office (SOHO) routers and wireless access points. It found 57 security bugs and was able to take over 11 of them from outside the local network. No wonder it called its report SOHOpelessly Broken.

So, the industry would have taken this to heart and enhanced its security in the last six years, right? Wrong.

In its update to the test, called SOHOpelessly Broken 2.0, ISE tested another 13 devices, some from the same vendors and some new. They found more than double the number of flaws, filing 125 CVE bugs based on their research. This time around, it got remote root access on 12 of the devices.

The team tested equipment from ASUS, Buffalo, Drobo, Lenovo, Netgear, QNAP, TerraMaster, Seagate, Synology, Xiaomi, Zyxel, and Zioncom.

Typical attacks included bypassing authentication mechanisms altogether. On one device, the team was able to hijack a cookie authentication system by changing the IP address to 127.0.0.1 and issue unauthorized requests via the API.

The project found that some things had changed since 2013, and others had not. Device vendors had taken newer steps to try and protect their software. For example, several used address-space layout randomization (ASLR), which randomizes the memory that programs use and is supposed to make memory-based attacks like buffer overflows difficult. However, they could exploit other flaws to break ASLR and launch their buffer overflow attacks anyway.

One device encrypted the PHP files used to process requests through its web interface but had to store the decryption key on the device, which the team used to access the files and exploit those using PHP’s system() function, gaining shell access.

This comment from the report suggests that the manufacturers were running before they could walk:

Perhaps more interesting is the amount of approaches that have not changed since SOHOpelessly Broken 1.0. Features such as anti-CSRF tokens and browser security headers, which are commonplace in mainstream web applications, are still rare among our sample of devices.

If companies had implemented these basic protections, then the team wouldn’t have been able to hack them, it said.

ISE tried several kinds of attack, often stringing them together to successfully exploit the device. The most successful were cross-site scripting (XSS) and command injection, which are old categories of attack that should be well understood by firmware developers.

Based on the research, Synology seems to come out on top, as its DS218J, a device that ISE included in the 2013 test, didn’t show up in any of the broad attack categories and had the fewest CVEs at just two: a session fixation bug in its Photo Station application and the ability to determine metadata of arbitrary files (both medium severity).

Synology also responded promptly to ISE’s bug reports, which isn’t something the company was able to say about all manufacturers. Some vendors’ methods for handling bug reports had improved in the last six years, and others hadn’t.

In 2013, none of the manufacturers tested had bug bounty programs. Today, Netgear, Synology, Xaomi and QNAP all have bug bounty programs, the report said.

Unfortunately, reporting bugs to several companies was a headache. The researchers got either no co-operation or no response at all from some.

What does all this mean for consumers? The report says that when buying a device, you should look for a history of security vulnerabilities with its vendor, along with how long it takes to fix them.

You should also avoid using the device with the default configuration. Turn off features that you won’t use, especially remote access features. Also, regularly search for patches from that vendor and apply them. Don’t rely on this to happen automatically. As the report pointed out:

It is likely that a significant number of devices are deployed and never updated afterwards. These devices will be vulnerable to any publicly-disclosed issues, even if patched firmware is made available.