Internet of Things

Experts found 125 new flaws in SOHO routers and NAS devices from multiple vendors

Researchers discovered many flaws in over a dozen small office/home office (SOHO) routers and network-attached storage (NAS) devices.

Security experts have discovered multiple vulnerabilities in over a dozen small office/home office (SOHO) routers and network-attached storage (NAS) devices. The research is part of a project dubbed SOHOpelessly Broken 2.0 conducted Independent Security Evaluators (ISE).

In this phase of the project that started in 2013 (SOHOpelessly Broken 1.0), the researchers assessed the security of 13 SOHO router and NAS devices and found a total of 125 new vulnerabilities. 

“Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries. This research project aimed to uncover and leverage new techniques to circumvent these new security controls in embedded devices.” reads the report published by the experts.

“Embedded devices are special-purpose computing systems. These types of systems include industrial controllers, small office/home office (SOHO) routers, network-attached storage devices (NAS), and IP cameras. Internet-connected embedded devices are often placed into a broader category referred to as IoT devices. “

The experts tested SOHO routers and NAS devices from the following vendors:

  • Buffalo
  • Synology
  • TerraMaster
  • Zyxel
  • Drobo
  • ASUS and its subsidiary Asustor
  • Seagate
  • QNAP
  • Lenovo
  • Netgear
  • Xiaomi
  • Zioncom (TOTOLINK)

The experts discovered at least one web application issue in each device they tested vulnerability that could be exploited by a remote attacker to get remote access to the device’s shell or gain access to the device’s administrative panel. 

The experts obtained root shells on 12 of the devices that allowed them to take over the vulnerable systems, 6 flaws can be remotely exploited without authentication: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.

The list of flaws discovered by the researchers includes authorization bypass, authentication bypass, buffer overflow, command injection, SQL injection (SQLi), cross-site scripting (XSS), cross-site request forgery (CSRF), and file upload path traversal vulnerabilities.

According to the experts, the level of security for IoT devices is slightly improved since SOHOpelessly Broken 1.0, only a limited number of devices were found implementing defense-in-depth mechanisms such as like address-space layout randomization (ASLR), functionalities that hinder reverse engineering, and integrity verification mechanisms for HTTP requests.

“Perhaps more interesting is the amount of approaches that have not changed since SOHOpelessly Broken 1.0. Features such as anti-CSRF tokens and browser security headers, which are commonplace in mainstream web applications, are still rare among our sample of devices.” concludes the report. “These defense-in-depth mechanisms can greatly enhance the security posture of web applications and the underlying systems they interact with. In many cases, our remote exploits wouldn’t have worked if customary web application security practices had been implemented.”

The researchers responsibly disclosed all of the vulnerabilities they discovered to affected vendors, most of them quickly responded and addressed the issues.

Unfortunately, some manufacturers, including Drobo, Buffalo Americas, and Zioncom Holdings, did not respond to report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SOHOpelessly Broken, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Security Affairs newsletter Round 526 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly Security Affairs newsletter has arrived! Every week, the best…

2 hours ago

Two Linux flaws can lead to the disclosure of sensitive data

Qualys warns of two information disclosure flaws in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise…

20 hours ago

Meta stopped covert operations from Iran, China, and Romania spreading propaganda

Meta stopped three covert operations from Iran, China, and Romania using fake accounts to spread…

2 days ago

US Treasury sanctioned the firm Funnull Technology as major cyber scam facilitator

The U.S. sanctioned Funnull Technology and Liu Lizhi for aiding romance scams that caused major…

2 days ago

ConnectWise suffered a cyberattack carried out by a sophisticated nation state actor<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

ConnectWise detected suspicious activity linked to a nation-state actor, impacting a small number of its…

2 days ago

Victoria’s Secret ‘s website offline following a cyberattack

Victoria’s Secret took its website offline after a cyberattack, with experts warning of rising threats…

3 days ago