In its latest study titled “SOHOpelessly Broken 2.0,” Independent Security Evaluators (ISE) discovered a total of 125 different security vulnerabilities across 13 small office/home office (SOHO) routers and Network Attached Storage (NAS) devices, likely affecting millions, The Hacker News reported.
“You can never be completely water right when it comes to the Internet of Things devices due to the way they are developed. There is always a chance they will host a vulnerability, whilst threat actors are very quick to try to circumvent any security controls or weaknesses.
If your employees are working from home, the devices the company provides them with, such as laptops and smartphones, will most likely be the most secure. But their home routers can’t be monitored, nor are they supplied by or even known about by the company. This is where a huge vulnerability lies.
Exploits in firmware and hardware connectivity are used to hack devices and their functionality, and these are discovered daily. Furthermore, IoT developers are, sadly, still not securing their devices at the production level as they should.
To stay most secure it’s imperative to update all internet-connected devices as soon as patches and updates are released. Default device passwords are notoriously weak (although this is slowly changing) so make sure passwords are in place and are all unique and complex. VPN connections should, of course, be on by default, but many smaller companies I’ve seen don’t always comply with this rule because they do not have the luxury of an IT or cybersecurity manager.”
Although some are looking at this report and claiming it is an indicator of worsening IoT security, I look at this report and see a big silver lining. The report mentions being able to bypass an important exploit mitigation (ASLR) when attacking an Asus router memory corruption bug. This is noteworthy because until relatively recently, there were shockingly few embedded devices making use of exploit mitigations like address randomization or non-executable stacks. Back in 2014, when I won the first SOHOpelessly Broken contest at DEF CON 22, I don’t recall that any of the devices had any sort of compiler mitigations enabled.
In the last two years however, I have started to see a sharp uptick in consumer embedded devices being shipped with more hardening features like ASLR. Although the vendors still have far to come in securing their gear, it is clear that at least some vendors are starting to get the picture of how important security is.