Professional Connected Devices Are Not a Security Staple
Consumers often use business-grade electronics in their homes. Such products often offer features closer to what home users need, including more flexible configuration, increased reliability and security.
These electronics are built for intense use and offer a more complex set of options but, when when it comes to security, they can be as vulnerable as consumer products.
In early February, a grey-hat hacker under the Twitter moniker Stackoverflowin (https://twitter.com/lmaostack) ran an automated attack against printers from multiple brands (Brother, Canon, Epson, HP, Lexmark, Samsung, Konica Minolta). The hacker used a script that scanned for printers with the ports for Internet Printing Protocols, Line Printers Daemon and port 9100 open to remote connections.
Allegedly, more than 160,000 printing devices around the world started spewing print jobs added by Stackoverflowin. Soon after the attack, social networkers from all over the world shared proof of its success; in the form of images showing the unsolicited printouts from the hacker, one of them asking for port 9100 to be closed.
The demonstration was not malicious, luckily, because the attacked printers ran the risk of being enrolled in a botnet or, worse, of being used as an entry point into a protected environment, be it a home or an office. At the time, Stackoverflowin also said a different firmware could have been pushed to the devices because they lacked a signature that verified authenticity.
An independent researcher early this month disclosed a vulnerability in digital video recorders, network video recorders and IP cameras from Chinese maker Dahua. The researcher, going by the name Bashis, labeled the flaw a backdoor because an unauthorized third party could gain control over the devices remotely by accessing a specific URL and downloading the full user database without authentication.
A total of 11 products have received a new firmware that eliminated the vulnerability, but some say the number is much larger. Dahua states that other models may be at risk and updates would be provided, if needed. Bashis has promised to release proof-of-concept exploit code on April 5, so the risk is larger if not all affected products are identified.
Surveillance devices are often exposed by security researchers for their security gaps, and high-end cameras are no exception. Also this month, someone using the alias montecrypto has warned of a backdoor in Hikvision IP cameras. The company has named the glitch a privilege escalation, which fits the researcher’s statement that “one can remotely escalate their privileges from anonymous web surfer to admin.”
Montecrypto gave Hikvision an ultimatum and said that the vulnerability would be disclosed on March 20, but both agreed that more time is needed to fix the problem. Moreover, the company promised to publish the details after the fix.
Both Dahua and Hikvision cameras are considered leaders in the video surveillance industry and, although they cater mainly to businesses, their products are often used in homes. Considering past reports from security researchers, neither company appears to carry code security audits but they do seem to take the issues seriously by providing the necessary updates.
On the other hand, choosing a security conscious vendor does not guarantee the products are safe from tampering. On March 17, three vulnerabilities for Nest Dropcam were revealed (Alphabet Inc subsidiary, like Google).
None of the flaws is too difficult to exploit and no patch is currently available, despite them being reported to the company in late October 2016 and validated on November 1. A firmware has been announced by Nest, though a release date has not been published.
Home users mostly take routers, wireless access points, switches and network cards for granted in terms of connectivity, reliability and security, but tech savvy consumers know there is a difference in their design for consumers and for businesses.
Sometimes the same types of vulnerabilities affect all products, and the most recent is the case of products from Ubiquiti, a company producing “high-performance networking technology for service providers and enterprises.” Some Ubiquiti products are also used in homes, specifically to increase wireless range.
On March 16, a flaw was publicly disclosed for PicoStationM2HP, a powerful access point that offers connectivity ranges of up to 500m outdoors and up to 200m indoors. SEC Consult researchers found that authenticated users could inject arbitrary commands with the highest privilege, and one of the reasons was the use of an ancient PHP build.
Remotely, the vulnerability could be exploited through a cross-site request forgery (CSRF) attack, for which there is no protection in the affected Ubiquiti products. CSRF can be easily deployed by sending the target a link that includes commands for the vulnerable device. These methods prey on users that have not logged out of their router sessions and have been used before to change a router’s DNS settings in order to load malicious websites.
Ubiquiti has released a patch on March 21 but the bottom line is that professional equipment can sometimes be open to similar vulnerabilities as consumer line products.
Audit network security vulnerability