It was only a matter of time before there was a serious security flaw affecting the Internet of Things (IoT). It comes by way of a vulnerability in NetUSB, which lets devices that are connected over USB to a computer be shared with other machines on a local network. The vulnerability, which could lead to remote code execution or denial of service if exploited, may affect some of the most popular routers in our homes and workplaces.
Details of the vulnerability were released by SEC Consult. According to Forbes, the weakness is somewhat rare, but it works this way:
When a PC or other client connects to NetUSB, it provides a name so it can be recognised as an authorised device. Whilst the authentication process is ‘useless’ as the encryption keys used are easy to extract … it’s also possible for an attacker who has acquired access to the network to force a buffer overflow by providing a name longer than 64 characters.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
And when this happens, continuing with the exploit is relatively easy.
Routers are the backbone of IoT—without them, smart devices don’t have the ability to be smart. In an email conversation with me, Cloudmark Security Research Analyst Andrew Conway called routers the “soft underbelly of the Internet,” adding:
They were never designed to be high security components, and once they are installed, they are typically never updated. Even when vulnerabilities are discovered, a vendor may not patch their firmware, and if they do, the patches are rarely applied. Should a vendor want to notify customers that they need to upgrade their firmware, the company typically has no way of identifying those individuals. Worse still, in many cases an attacker does not even need a vulnerability to gain control of a home router. Individuals and organizations either use the default admin password or create one that is susceptible to dictionary attack.
While this vulnerability isn’t as bad as others we’ve seen recently, it does underscore the fact that our IoT devices are at risk. It is only a matter of time before a serious attack involving routers occurs—especially if manufacturers continue to ignore security as part of the router’s hardware and software design. For now, Conway has provided a few tips to keep your router secure:
- Update to the latest firmware.
- Select a strong administrative password and never use the default password provided.
- Make sure that administrative functions are visible only on an organizations’ internal network.
- Networks of compromised home routers are used by Lizard Squad and others to launch massive DDoS attacks, so small and midsize businesses (SMBs) should use a DDoS prevention service to help detect and prevent attacks. Entry level protection can be low cost or even free.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.