In a cybersecurity study of network attached storage (NAS) systems and routers, Independent Security Evaluators (ISE) found 125 vulnerabilities in 13 IoT devices, reaffirming an industrywide problem of a lack of basic security diligence. The vulnerabilities discovered in the SOHOpelessly Broken 2.0 research likely affect millions of IoT devices.

“Our results show that businesses and homes are still vulnerable to exploits that can result in significant damage,” says lead ISE researcher Rick Ramgattie. “These issues are completely unacceptable in any current web application.”

An attacker can obtain a foothold within a network in businesses and homes to exploit and compromise additional network devices, snoop information that passes through the devices, reroute traffic, disable the network, and perform additional outbound attacks on other targets from the victims’ networks.

ISE selected devices from a range of manufacturers. Products ranged from devices designed for homes and small offices to high-end devices designed for enterprise use. In addition to new devices, ISE included some devices from earlier research to determine whether manufacturers have improved their security approach or practices over the years.

Key findings

In nearly all the devices (12 of the 13), ISE achieved its goal of obtaining remote root-level access. The table below shows the types of vulnerabilities that ISE identified in the targets.

* The issues researchers reported to Synology (Session Fixation and the ability to Query Existence of Arbitrary Files) were included in this table.

** Though the Drobo does not include a web application by default, ISE include vulnerabilities that appear in its optional web application here.

All 13 of the devices evaluated by ISE had at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device’s shell or gain access to the device’s administrative panel. ISE obtained root shells on 12 of the devices, allowing complete control over the device.

Six of them can be remotely exploited without authentication: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.

“We found that many of these issues were trivial to exploit and should have been discovered even in a rudimentary vulnerability assessment,” says ISE founder Stephen Bono. “This indicates that these manufacturers likely undergo no such assessment whatsoever, that the bug bounty programs they employ are ineffective, that vulnerability disclosures sent to them are not addressed, or more likely, all of the above.”

IoT security recommendations

Device manufacturers:

IoT vendors have increased their presence in the security community, albeit without any substantial increases to device security.

Manufacturers should train their developers on security best practices and use either internal or external security teams to assess the software running on their devices.

Software must be developed with security in mind from the initial planning stages in the software lifecycle and considered at all other stages.

Manufacturers should rely on qualified rigorous testing, not just hacking events or bug bounty programs for security assessments.

Prepare and release firmware upgrades that address these issues and other known vulnerabilities.

Enterprise users:

When purchasing devices, consider how a manufacturer has handled patching issues and the length of time that devices are supported.

After devices have been purchased and installed, harden them by disabling unused features, enabling security controls if available, and implementing a patching strategy to regularly apply firmware updates.

Avoid remote access and administration features whenever possible as they expose the device to adversaries on the Internet.

Conduct security assessments or vet devices before deploying them in networks.

UPDATE: Monday, September 23, 2019 – 10:42 PM PT

Stanley Hsu, Software Product Manager of ASUSTOR reached out with a comment: “ASUSTOR promptly responded to ISE’s vulnerability submission. The researchers tested ASUSTOR AS-602T with firmware 3.1.1, we fixed these vulnerabilities in firmware 3.1.3 (2018/5/31).”