Researchers Uncover 125 Vulnerabilities Across 13 Routers and NAS Devices

Independent Security Evaluators (ISE) discovered a total of 125 different security vulnerabilities across 13 IoT devices, likely affecting millions of consumers. Help Net Security reports: In nearly all the devices (12 of the 13), ISE achieved its goal of obtaining remote root-level access. The table below shows the types of vulnerabilities that ISE identified in the targets. All 13 of the devices evaluated by ISE had at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device's shell or gain access to the device's administrative panel. ISE obtained root shells on 12 of the devices, allowing complete control over the device.

Six of them can be remotely exploited without authentication: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU. "We found that many of these issues were trivial to exploit and should have been discovered even in a rudimentary vulnerability assessment," says ISE founder Stephen Bono. "This indicates that these manufacturers likely undergo no such assessment whatsoever, that the bug bounty programs they employ are ineffective, that vulnerability disclosures sent to them are not addressed, or more likely, all of the above."

OpenWRT

[weilawei]

Apply as needed, once per router.

Re:

[guruevi]

Some of those things aren't routers and/or have chips that don't run (yet) with OpenWRT or any of the other firmware's with some even implementing TPM to prevent custom firmware.

People need to get back to knowing more about the computers they run and demand or buy only things that can run replaceable or open software.

Re:

[bobstreo]

Some of those things aren't routers and/or have chips that don't run (yet) with OpenWRT or any of the other firmware's with some even implementing TPM to prevent custom firmware.

People need to get back to knowing more about the computers they run and demand or buy only things that can run replaceable or open software.

A good start is to run a port scanner on anything you toss onto your network and create appropriate rules on your router/firewall...

Re:

[youngone]

People need to get back to knowing more about the computers they run...

Those NAS boxen are sold on the basis of being turn-key type devices. The people who buy them are not likely to have heard of SMB or CIFS or whatever, and have no interest.

Re:

[Puls4r]

Sorry, but no. You're essentially saying that every person who drives a car should be a mechanic, an electrician, and understand your car's ignition chip system too.

Consumers should not need to understand the inner functioning of their router. I'm a fairly tech savvy individual, and the thought of spending a day trying to patch the firmware on my nighthawk and then re-setting up my network is not something I'm even going to bother to do.

I'll just hope that my modem's security, in front of my firewal

Re: OpenWRT

[e3m4n]

If its truly a modem it has no security. It acts as a bridge. Whatever goes in one side comes out the other.

This is true for
2wire and 4wire HDSL used as t1 smartjacks
IDSL
ADSL2+
SHDSL
VDSL and VDSL2
GPON
As well as cable modems

Now if it has an integrated router, then its basically two devices in one. But dont put much stock in them. They all use the same reference code and same utils. This is why for a while everyone had to manually kill their SIP ALG because the one appearing on 90% of these service provider de

Re:

[jabuzz]

Every person driving a car should know that they need to get it regularly serviced. Need to be aware that it might need maintenance earlier than the service interval. In most jurisdictions it will likely have to pass a mandatory road worthiness test on a yearly basis. They will in most jurisdictions require to have insurance cover and passed a competency test on their driving skills before being allowed to operate the vehicle on the road.

So while consumer do not need to understand the intricate details of t

Re:

[kilodelta]

Well yes indeed. I'm one who reads owners manuals. I should say skips to the section on PM and goes from there. But the car I drive will tell me when it's time to change the oil, rotate the tires etc.

Re:

[war4peace]

On top of that, OpenWRT (or DD-WRT) have some limitations preventing them from fully using the hardware power of the router chipset. For example years ago I had a TL-WDR3600 router (offered by my ISP) which allowed DD-WRT and I installed it on the router. Afterwards, I couldn't reach download speeds greater than 200 Mbit/s because DD-WRT didn't use hardware-based network acceleration, only software-based protocols. It's like running a video without hardware acceleration, your CPU usage would spike and you w

Re:

[chuckugly]

I'm running DD-WRT on several routers here and have no issues with the built in switch etc. running as it should. Might be a case of choosing hardware that's suitable I guess. These routers are explicitly listed by the maker as suitable for DD-WRT.

I'm on gigabit fiber with no problems.

Re:

[war4peace]

Could you please list the exact router models?
I have switched to Ubiquiti router and AP about 9 months ago and they work great, but I have a secondary (currently unused) Internet connection and I would like to connect a fully DD-WRT compliant router to it.

Re:

[sad_]

"Some of those things aren't routers and/or have chips that don't run (yet) with OpenWRT"

only buy gear that allows for installing openwrt or when buying a phone that allows a custom rom, etc.
if there is an OSS alternative, be sure the device you're looking at supports it.

yes, it is an extra step, but it is better then just blindy buying stuff, complete with security issues and planned obsolescence.

Film at 11 ...

[Retired ICS]

Insecure web interfaces are insecure. Film at 11...

Seriously though, these things are not designed to be secure and are not advertized as being secure. Is it any wonder that they are not secure?

Details Missing From The Report

[Booomstik]

I am wondering if these devices are only vulnerable if you have them connected to the internet directly (no firewall) or if you enable some kind of "remote access/remote file access" service on the devices. Some more information would be handy.

Re:

[Retired ICS]

The vulnerabilities are all in the "Administrative Web Interface". So yes, if you expose that to the Internet, you have a problem. If you do not expose it to the Internet but let a hacker into your house you have a problem. However, if you do not let "malicious third-parties" access the Web Interface there is no problem.

Just like hanging drapes on the bedroom windows even though they are supposed to be made of one way glass that prevents the photographer over the road from taking pictures and publishing

Re:

[amorsen]

However, if you do not let "malicious third-parties" access the Web Interface there is no problem.

Any website you visit can conveniently use your browser to send the malicious query to the device webserver. No direct exposure to the Internet required.

This misunderstanding is one of the reasons why vendors do not care about fixing their vulnerabilities.

Strange

[rainer_d]

Neither pfSense nor FreeNAS listed. But I guess itâ(TM)s not rocket-science after all.

Name Fucking Names!

[mabu]

How goddam difficult is it to list all of the devices that have shown to be compromised? What good is an article that doesn't lay out the details?

Re:

[_merlin]

I didn't RTFA, but you clearly didn't RTFS. TFS contains a link to an image containing a table of devices and what they were vulnerable to [helpnetsecurity.com] and a list of the six that could be remotely exploited: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.

Re:

[sanf780]

And it looks like it is being reported that only Synology NAS is not vulnerable to what has been tested. Not sure what that tells me.

Re:

[PsychoSlashDot]

And it looks like it is being reported that only Synology NAS is not vulnerable to what has been tested. Not sure what that tells me.

It tells you that a bunch of specific devices were tested and found to be vulnerable. Except one. There's no broader trend or meta-information to be derived. If you have one of the impacted devices, you're (potentially) vulnerable since it's the admin interface that's tested, and that may or may not be exposed to the WAN.

Re:

[mysidia]

I think it means with the other devices you would be at a risk, and with the Synology you would probably be safe --- Unless you set the admin password to a crackable one such as passw0rd Or turn on the wrong service and expose that service to the WAN

Re:

[mysidia]

Its validating my personal choice of Synology's hardware (IMO), for sure. Of course: I STILL consider it important to keep the Synology firmware up-to-date and Not expose the Synology's IP address to the WAN ---- Its a combination of BOTH restricting and isolating access to devices AND having robust devices AND using strong carefully kept secret authorized user credentials that helps protect systems from being compromised.
But I feel pretty happy that there's been some attempt to attack their stack, a