It is written by Independent Security Evaluators (ISE). The picture it paints of so-called SOHO-grade router/firewalls (SOHO is short for Small Office Home Office) and the 'smart' devices that make up the rapidly expanding Internet of Things (IoT) is not pretty.
ISE sums up its findings
"Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries. This research project aimed to uncover and leverage new techniques to circumvent these new security controls in embedded devices."
The research team investigated several SOHO-grade routers and NAS (Network-Attached Storage) devices offered by a range of manufacturers, including:
- Asustor (a subsidiary of ASUS)
Sadly, devices from every manufacturer listed above had at least one web app vulnerability that could allow a remote attacker to gain access to the administrative panel of the device in question. Worse, the researchers reported that they were able to obtain root shells on 12 of the devices, giving them complete control. In six cases, they were able to gain complete control remotely and without authentication.
The most at-risk firewalls the group tested are
- Asustor AS-602T
- Buffalo TeraStation TS5600D1206
- TerraMaster F2-420
- Drobo 5N2
- Netgear Nighthawk R9000
- TOTOLINK (Zioncom) A3002RU
Since the publication of the SOHOpelessly Broken 1.0 report, the research team did say that the general state of security on IoT devices had improved somewhat. That's a low bar given the sorry state of IoT security, to begin with. While things have no doubt improved, there are still miles to go before IoT security could be called anything approaching robust.
In fact, many of the IoT devices being sold today still lack basic web application features like browser security headers and anti-CSRF tokens. Until these kinds of issues are addressed, the conclusions fronted by the SOHOpelessly Broken 3.0 report won't be much better than they are now.
As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there!"
Meanwhile, check out this report
This free executive report may give you insights into how to build your business with safe IT environments: 10 Hidden IT Risks That Might Threaten Your Business and 1 Easy Way to Find Them
I am Denis Wilson, President and Principal Consultant for DWP Information Architects. I help professionals grow their business by building a foundation of rock-solid information solutions for smaller healthcare, insurance, financial, legal, and nonprofits firms in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance. I am also a published author and speaker, working extensively with a variety of organizations, as well as providing small business technology education programs through business and professional associations. This just in: I will be speaking regularly at California Lutheran University's Center for Nonprofit Leadership starting in September.
Contact me if you would like me to speak at your association.