In almost all tested units, the researchers achieved their goal of obtaining remote root-level access.
Security researchers have uncovered a total of 125 security flaws across 13 small office/home office (SOHO) routers and network-attached storage (NAS) devices that may leave them vulnerable to remote attacks.
The devices ranged from units intended for the general public to high-end enterprise-grade devices, according to the research conducted by a US-based company called Independent Security Evaluators (ISE). The experts routed their focus primarily on devices from well-known and reputable vendors, meaning that the problem may ultimately affect millions of units. (The list of the devices and additional details are available here.)
“Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries,” reads the study. All devices had been updated to the then-latest firmware and were tested in their out-of-the-box configurations.
Each of the 13 devices was found to contain at least one web application vulnerability such as cross-site scripting, operating system command injection or SQL injection that could be leveraged by an attacker to get remote access to the device’s shell or admin panel. Once compromised, the device may be used as a stepping stone for further attacks inside a home or enterprise network.
Other common flaws included authentication and authorization bypasses. In 12 devices, the researchers reached their goal of obtaining remote root-level access. Six units could be remotely exploited without authentication.
ISE reported the vulnerabilities to the affected vendors and praised most of them for getting to work promptly in order to mitigate the issues. (Whether any security updates are eventually installed is another matter, however, as consumers often don’t give much thought to updating their routers and are often not aware of the vulnerabilities therein.) Worryingly, some vendors failed to respond to the reports entirely.
The project, called SOHOpelessly Broken 2.0, built on the company’s research in 2013, which also involved a look under the hood of 13 routers and NAS devices and resulted in the discovery of 52 security holes. As seen from the new study, things don’t appear to have improved over the years.
For more especially on router security, please refer to some of our previous articles:
written by Tomas Foltyn, ESET We Live Security