Interpreting the SOHOpelessly Broken 2.0 Report
Don’t feel bad if you’ve never heard of the SOHOpelessly Broken Report put out by the Independent Security Evaluators (I.S.E.).. It’s certainly been such an interesting read, so much so that I thought it merits a breakdown into easier to digest pieces for our audience of end-users; namely students and professors. This year’s report was researched and authored by Shaun Mirani, Joshua Meyer, Rick Ramgattie, and Ian Sindermann, and published on September 16th, 2019 by I.S.E..i
The original SOHOpelessly Broken Report was researched and authored in 2013 by the Independent Security Evaluators. Their efforts resulted in more than fifty new entries in the Common Vulnerabilities and Exposures (C.V.E.) cybersecurity database.ii Researchers found these C.V.E.’s hiding in the extraneous operating system features of small office and home office (SOHO) routers and network attached storage (N.A.S.) devices.
The 2.0 version of their report looked at 13 SOHO routers and N.A.S. devices. From those few products, 125 new C.V.E. entries were made. The researchers concluded quite handily that the Internet of Things (IoT) devices that they evaluated were not secure enough to prevent them from being used to covertly attack other systems. Twelve of the IoT devices produced what is called a root shell, allowing complete control over the system’s components. Six of the twelve were able to be taken over without even using the username and password that was setup, the systems were essentially wide open to being exploited.
The thirteen IoT devices were evaluated under the premise that the average end-user would accept many of the default configurations presented during the initial setup. The out-of-box experience for many users is relegated to completing the steps on the Quick Setup or Quick Reference cards that’re included with many of the devices. The methods used to attack and exploit the devices are well known to the security and hacking communities; cross-site scripting (XSS), operating system command injection (OS CMDi), cross-site request forgery (CSRF), SQL injection (SQLi), and domain name system (DNS) rebinding attacks.
The details of these types of attacks aren’t important for this very-high-level overview. It’s still prudent to state the seemingly obvious; the more individual attacks each device was susceptible to during the research phase, the more likely each device could be hijacked and used for malicious purposes in the real world. Some top players in the small and home office arena are implicated by some of their best sellers; such as Netgear and their Nighthawk R9000 high-end flagship router, and Buffalo Technology’s TeraStation N.A.S. Between those two products, they were both vulnerable to XSS, OS CMDi, authentication bypass and authorization bypass.
Perhaps more important than the discover of the C.V.E.’s themselves is a general disclosure at the end of the report. After discovering these flaws, the researchers did their due diligence in reporting the C.V.E.’s directly to the manufacturers for remediation, and patching. Four companies failed to even acknowledge their receipt of the C.V.E. reports; including the two mentioned previously, Buffalo Technology and Netgear, plus Drobo, maker of the Drobo 5N2 N.A.S., and Zioncom, the maker of the TOTOLINK A3002RU router. The remaining companies, nine of the thirteen, were open to the submission of the bugs and worked with researchers and the security community to patch or mitigate their C.V.E.’s.
My takeaway from this situation, besides there being three times as many exploits from 2013 to 2019, is that we need more researchers out there testing our day-to-day consumer and business products. Consumer Reports would do well to expand their cybersecurity arm into a meaningful research team.iii Some of the companies experiencing these exploits offer bug bounties, like cash prizes, for discovering and reporting security holes. There is money to be made in verifying the digital safety of the most commonplace Internet-of-Things devices, as well as money made in publishing those findings on a regular basis.