Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a word from our sponsor, Juniper Networks. Join Juniper at NXTWORK 2019 to learn, share, and collaborate with game changers from companies across the networking industry. This year's event features keynotes from Juniper executives, as well as special guest speaker Earvin "Magic" Johnson, along with over forty breakouts and master classes led by distinguished engineers, as well as various opportunities for certification testing and training. Visit juniper.net/nxtwork for more information. That's juniper.net/nxtwork. And we thank Juniper for sponsoring our show.
Dave Bittner: [00:01:09] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Shaun Mirani: [00:01:49] SOHOpelessly Broken 1.0 was actually conducted in 2013.
Dave Bittner: [00:01:53] That's Shaun Mirani. He's a security analyst at Independent Security Evaluators. The research we're discussing today is titled SOHOpelessly Broken 2.0.
Shaun Mirani: [00:02:03] And we looked at a few of the same devices that this research initiative covered, a smaller selection. And we found and published, I believe, fifty-two vulnerabilities across those devices, many of which allowed remote compromise of the devices. Now, these were all small office, home office embedded devices such as routers, Network Attached Storage devices or NAS's. And we kind of picked up where we left off in 2013 in 2018 with SOHOpelessly Broken 2.0. And this time around we broadened our scope – we looked at more devices. And what we found is that a lot of the security controls that manufacturers had been implementing in the five years between those two research initiatives were not sufficient to prevent remote compromise in a similar manner that we saw in 2013.
Dave Bittner: [00:02:50] Well, before we dig into the most recent research, to continue with the background from what you discovered in 2013 – so, the initial effort there was to look into these IoT devices and see where the vulnerabilities might be?
Shaun Mirani: [00:03:02] Yes, that's correct.
Dave Bittner: [00:03:03] And, as you say, you discovered fifty-two CVEs back then.
Shaun Mirani: [00:03:07] Yes.
Dave Bittner: [00:03:07] So, based on that, you decided it was time for a refresh. What was the methodology as you approached this round of research?
Shaun Mirani: [00:03:15] There were a couple of phases. We had to determine which devices to look at, first and foremost. And we went with popular consumer-grade devices that people were actually using and would probably care about if there were vulnerabilities in them. So once we acquired those devices, our methodology began with scanning, looking for network services that were running on them, and mapping out the exposed attack surface within the web application, because most of them feature administrative web applications by default.
Dave Bittner: [00:03:42] Hmm.
Shaun Mirani: [00:03:42] And so, that goes hand-in-hand with looking at the firmware, because most of these device manufacturers make their firmware publicly available, either on their websites or through some other means. You can essentially download the firmware, extract it, and look at the entire file system that's going to be loaded onto the device. And that includes the programs that are going to be running. So that's the sort of reconnaissance, information gathering, and scanning phase.
Shaun Mirani: [00:04:08] After that, we did hands-on testing. That involved manually poking at the web applications and the network services that were exposed by default in order to identify any weaknesses, any potential signs of vulnerabilities that we could later go back to and write up and disclose.
Dave Bittner: [00:04:25] Well, let's go through a few of these devices together and sort of walk me through what you discovered and how you went about discovering it, and also what the implications are. Are there any of the devices that stand out to you that you want to start with?
Shaun Mirani: [00:04:37] Among these different devices, we found vulnerabilities across each one of them. Some vulnerability classes were more common than others. In particular, I would like to talk about the TerraMaster F2-420 network-attached device, because that one had quite a few vulnerabilities that we identified. So, what's interesting about the TerraMaster device is their use of encryption to obfuscate the PHP files that were stored in the file system. So, the web application makes use of PHP for server-side dynamically generating pages for handling requests on the backend. And so, in order to hinder reverse engineering attempts, what TerraMaster had done is encrypt each individual PHP file with a static key and an IV of all zeros.
Shaun Mirani: [00:05:21] Once we figured that out by looking at the firmware and identifying the script where all that encryption and decryption processes occurs, we decrypted the PHP files themselves and were able to identify vulnerabilities within those scripts. And that led us to quite a few findings, including command injection, authentication bypasses, cross-site scripting, cross-site request forgery, I believe – very common web application vulnerabilities.
Dave Bittner: [00:05:44] Yeah, so a couple of questions. First of all, what is the TerraMaster device? What is it built to do?
Dave Bittner: [00:05:50] It's a network-attached storage device, so it allows users to manage files and it has additional applications for accessing those files, like photo applications. It also features a web application where you can administer the device.
Dave Bittner: [00:06:01] So, what you discovered then – again, from my understanding – is that with the encryption they were doing on these files, they had basically hardcoded the key in the firmware. Is that right?
Shaun Mirani: [00:06:12] Exactly.
Dave Bittner: [00:06:13] Not that hard for you to reverse engineer it.
Shaun Mirani: [00:06:15] No. Once we figured out that key, it was fairly trivial to get the command to go back and access all those PHP files in plaintext.
Dave Bittner: [00:06:24] Interesting. And so that uncovered a range of vulnerabilities.
Shaun Mirani: [00:06:28] Yes.
Dave Bittner: [00:06:28] Let's take a look at some of the other devices. What other ones stood out to you?
Shaun Mirani: [00:06:32] The ASUS RT-AC3200 was a SOHO router that was particularly interesting, because it was the only router that had a buffer overflow class of vulnerability that we discovered. So, this was an authenticated buffer overflow, which means you had to have a valid login and password in order to exploit it. However, with authentication bypasses – and we've seen that many of these devices have ways to circumvent authorization authentication – this would be a remotely exploitable remote code execution attack.
Dave Bittner: [00:07:03] Now, were there any devices that came up particularly well? That tested out as not having very many vulnerabilities, if at all?
Shaun Mirani: [00:07:09] We found vulnerabilities in all of the devices. The only one that we were not able to gain remote code execution on in the time that we had was the Synology NAS. So, we did find fewer high-severity security vulnerabilities in the Synology DS218j.
Dave Bittner: [00:07:28] So, when you compare the results that you got back in 2013 with what you found this round, explain to me what the differences were – how far have we come?
Shaun Mirani: [00:07:39] I would say we have not come very far at all. While these manufacturers have made attempts to implement security controls that not only make it harder to reverse engineer the devices, but in some cases are actual legitimate attempts to protect against vulnerability classes, we were still able to exploit, remotely, most of these devices – twelve out of thirteen – and get root shells on them. So, I would say that the progress that these manufacturers have made is insufficient.
Dave Bittner: [00:08:08] Is it the same sorts of things that you discovered back in 2013, or have those things been addressed and there are new ways that you can come at these devices?
Shaun Mirani: [00:08:18] It's essentially the same vulnerabilities. Command injection is very widespread among these.
Dave Bittner: [00:08:24] Where are they coming up short, overall? And do you have any insights on to why they may not be doing a better job? What's keeping them from doing a better job?
Shaun Mirani: [00:08:32] I don't know specifically what's keeping them from doing a better job, or – and whether or not, in fact, they are now taking steps after the fact, after our publication, to improve their security posture. But I think it's a matter of incentive. Until the companies are incentivized to improve security, it's always going to be on the backburner for them – it's not going to be a priority.
Dave Bittner: [00:08:52] Now, you all went through the responsible disclosure process and you got different responses from different companies. What are some of the highlights of what you went through with that part of the process?
Shaun Mirani: [00:09:04] For the most part, the responsible disclosure process went smoothly. When we reported vulnerabilities, most of the manufacturers we talked to would reply in a reasonable amount of time and they would acknowledge our vulnerability reports, and they would fix them. And in some cases, they even asked us to test the mitigations, and we would go ahead and download the new firmware, install it on our devices, and actually see if they fixed the vulnerabilities we reported.
Shaun Mirani: [00:09:28] Now, a couple of the manufacturers we had some communication problems with, which led to some prolonged difficulties for us in the disclosure process. Notably, one of them was Netgear. When we reported these vulnerabilities to Netgear – so, they have a bug bounty program via Bugcrowd. When we initially reported the vulnerabilities, it took them several months – I believe five months – for them to even acknowledge and get back to us and start triaging the vulnerabilities we'd reported, let alone fixing and awarding payouts, as is part of the program.
Shaun Mirani: [00:10:03] And Netgear was also a CVE Numbering Authority – a CNA – so they're responsible for issuing the identifiers for the vulnerabilities that are used in CVE descriptions. And when we asked Netgear to provide us with CVEs for the issues we identified, it took them three months to get back to us, and they said they were no longer issuing CVEs. So we had to reach out to MITRE, who then was not aware that Netgear was no longer issuing CVEs. And there were some back and forth, and eventually we ended up getting the CVEs we needed from MITRE instead of Netgear, who was supposed to be the original issuer.
Dave Bittner: [00:10:40] So initially, you had several months of just radio silence from them?
Shaun Mirani: [00:10:44] Essentially, yeah.
Dave Bittner: [00:10:45] Yeah. Wow. What are your recommendations here? I want to come at this from two different directions – first of all, from the device manufacturers, which should they be doing to protect their devices from the things that you discovered?
Shaun Mirani: [00:10:58] There are known mitigations to all of these vulnerabilities. Like, these issues have been around for a very long time. It's not like these are new and novel attacks. We did research with existing vulnerabilities – with lots of research done on them – in mind, and we found them. And it was just a matter of the manufacturers not implementing proper security controls. So, all I can say in terms of resolving these vulnerabilities – preventing them in the future – is, you know, follow best practices, because there's really no magic solution to preventing these vulnerabilities. It's just a matter of being on top of it.
Dave Bittner: [00:11:35] And what about from the consumer side of things? If I'm out there buying these sorts of things, how can I protect myself?
Shaun Mirani: [00:11:41] I would say first and foremost, turn off remote management. Like, do not allow your NAS or your router to be accessed from the WAN. Don't let people on the public internet try to connect to your web application and make login attempts, because we've uncovered a lot of issues that are pre-authentication that could compromise your device. So that's a big one.
Shaun Mirani: [00:12:02] Also, keep your device up-to-date, of course. I know that's said a lot, and it's easier said than done. Some of the devices make it somewhat easier by offering semi-automatic updates, especially nowadays that's more common. But yeah, pay attention to when firmware upgrades are available so that you don't become susceptible to published exploits out there.
Dave Bittner: [00:12:21] It's really interesting to me because, you know, you've got this multi-year gap between the work that you did back in 2013 and this year's research, and you would hope that we would have seen more progress – you would think that if I had gone through the process of saying, okay, I've got this router or I've got this NAS, and it's over five years old, maybe it's time to update it, and I assume that the security is going to be better on it – I think it's a little discouraging that's likely not the case.
Shaun Mirani: [00:12:51] It's extremely discouraging, and it's a pretty sad state of affairs. But like I said, until the companies are incentivized to actually make security a priority, I don't foresee things changing anytime soon.
Dave Bittner: [00:13:00] We're talking about incentives and how companies aren't properly incentivized to make these sort of changes. What do you think the proper incentives would be? Do we need some sort of regulations or standards? How do you think we could come at it from that direction?
Shaun Mirani: [00:13:17] I don't really know if I'm well-informed enough to comment on that.
Dave Bittner: [00:13:21] Yeah.
Shaun Mirani: [00:13:21] I know there have been some pushes for regulations, especially in the past few years. I don't know enough about it, frankly.
Dave Bittner: [00:13:28] Okay, fair enough.
Shaun Mirani: [00:13:29] I think a lot of it's going to have to come from consumers themselves. Perhaps with research like this, more outreach to the community – especially to the information security community – that consumers are going to start to care and exert pressure on these companies to improve their security. So that's one viable way.
Dave Bittner: [00:13:44] I'm curious, when these devices come out of the box, could they be made safer by having their default settings be different from what they are?
Shaun Mirani: [00:13:55] Yes, because a lot of the times the default settings are such that it's most convenient for the user. Like, certain network services that may not be the most secure, but are definitely convenient for the customer, are enabled by default. So, if those were disabled instead, then the device as a whole might be more secure.
Dave Bittner: [00:14:18] Our thanks to Shaun Mirani from Independent Security Evaluators for joining us. The research is titled SOHOpelessly Broken 2.0. We'll have a link in the show notes.
Dave Bittner: [00:14:29] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:14:38] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:14:47] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.