Researchers found 125 vulnerabilities in 13 models of routers and NAS

Independent Security Evaluators researchers have discovered 125 different vulnerabilities in 13 models of routers and network attached storage (NAS).

[dropcap]Many[/dropcap] of them can be exploited remotely by an unauthorized attacker.

“We show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries. This research project aimed to uncover and leverage new techniques to circumvent these new security controls in embedded devices”, — say Security Evaluators specialists.

Vulnerabilities affect the following SOHO (small office/home office) routers and network attached storage devices (NAS): Buffalo TeraStation TS5600D1206, Synology DS218j, ASUS RT-AC3200, Netgear Nighthawk R9000, TerraMaster F2-420, Drobo 5N2, Zyxel NSA325 v2, TOTOLINK A3002RU, Asustor AS-602T, Seagate STCR3000101, QNAP TS-870, Mi Router 3 and Lenovo ix4-300d.

The list of vulnerable products includes both devices for consumers and high-performance equipment for corporate use.

“Despite the increased attention to security claimed by device manufacturers, these IoT devices do not have sufficient security controls to prevent remote exploitation”, — claim Security Evaluators experts.

According to the researchers, all 13 tested devices had at least one vulnerability in web applications, such as cross-site scripting (XSS), implementation of operating system commands (OS CMDi), or SQL injection (SQLi), which could be exploited by an attacker to access the shell remotely or device admin panel.

Researchers were able to hack into 12 devices, six of which did not even require authorization (Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000 and TOTOLINK A3002RU).

Specialists informed the suppliers of the vulnerabilities discovered and many of them took measures to fix the problems. However, the researchers did not receive a response from Drobo, Buffalo Americas or Zioncom Holdings.

Security Evaluators Recommendations for Consumers and Enterprise Users:

When purchasing new IoT equipment, the security of devices should be of importance. Manufacturers with a history of numerous security vulnerabilities should be avoided; likewise, how a manufacturer has handled patching issues and the length of time that devices are supported should also be important considerations.

After devices have been purchased and installed, administrators should harden them by disabling unused features, enabling security controls, if available, and implementing a patching strategy to regularly apply firmware updates. In particular, remote access features should be avoided when possible as they expose the device to adversaries on the Internet, rather than limiting threats to those on an internal network.