125 New Flaws Found In Routers And NAS Devices From Popular Brands

In its latest study titled “SOHOpelessly Broken 2.0,” Independent Security Evaluators (ISE) discovered a total of 125 different security vulnerabilities across 13 small office/home office (SOHO) routers and Network Attached Storage (NAS) devices, likely affecting millions, The Hacker News reported.

Experts Comments

September 18, 2019
Jake Moore
Cybersecurity Specialist
ESET
“You can never be completely water right when it comes to the Internet of Things devices due to the way they are developed. There is always a chance they will host a vulnerability, whilst threat actors are very quick to try to circumvent any security controls or weaknesses. If your employees are working from home, the devices the company provides them with, such as laptops and smartphones, will most likely be the most secure. But their home routers can’t be monitored, nor are they.....Read More
“You can never be completely water right when it comes to the Internet of Things devices due to the way they are developed. There is always a chance they will host a vulnerability, whilst threat actors are very quick to try to circumvent any security controls or weaknesses. If your employees are working from home, the devices the company provides them with, such as laptops and smartphones, will most likely be the most secure. But their home routers can’t be monitored, nor are they supplied by or even known about by the company. This is where a huge vulnerability lies. Exploits in firmware and hardware connectivity are used to hack devices and their functionality, and these are discovered daily. Furthermore, IoT developers are, sadly, still not securing their devices at the production level as they should. To stay most secure it’s imperative to update all internet-connected devices as soon as patches and updates are released. Default device passwords are notoriously weak (although this is slowly changing) so make sure passwords are in place and are all unique and complex. VPN connections should, of course, be on by default, but many smaller companies I’ve seen don’t always comply with this rule because they do not have the luxury of an IT or cybersecurity manager.”  Read Less
September 17, 2019
Craig Young
Principal Security Researcher
Tripwire
Although some are looking at this report and claiming it is an indicator of worsening IoT security, I look at this report and see a big silver lining. The report mentions being able to bypass an important exploit mitigation (ASLR) when attacking an Asus router memory corruption bug. This is noteworthy because until relatively recently, there were shockingly few embedded devices making use of exploit mitigations like address randomization or non-executable stacks. Back in 2014, when I won the.....Read More
Although some are looking at this report and claiming it is an indicator of worsening IoT security, I look at this report and see a big silver lining. The report mentions being able to bypass an important exploit mitigation (ASLR) when attacking an Asus router memory corruption bug. This is noteworthy because until relatively recently, there were shockingly few embedded devices making use of exploit mitigations like address randomization or non-executable stacks. Back in 2014, when I won the first SOHOpelessly Broken contest at DEF CON 22, I don’t recall that any of the devices had any sort of compiler mitigations enabled. In the last two years however, I have started to see a sharp uptick in consumer embedded devices being shipped with more hardening features like ASLR. Although the vendors still have far to come in securing their gear, it is clear that at least some vendors are starting to get the picture of how important security is.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.