News has broken that up to 400,000 customers were at risk of critical flaw that could have given an attacker control over their home Wi-Fi network. IT security experts commented below.
Christopher Littlejohns, EMEA Engineer at Synopsys:
“What is not revealed in most of the reporting of this issue is that the vulnerability detected is one of the most common and easily exploited issues in many internet devices; i.e. hard coded credentials for privileged accounts.
“In this particular case, root access – hence the ability to take over the device and use it for many nefarious purposes. These types of issues arise out of poor or absent requirements, secure software development policies, development practises and verification approaches. These days, It is usually quite simple to detect and fix this type of vulnerability during the development stage of the software, typically using human code reviews and automated solutions such as Static Analysis (SAST).
“Unfortunately product developers have a great deal to do to apply the best practices both the development of new products, but also detecting legacy product issues which have their origin in code that may have been developed many years ago. There is clearly a vast amount of vulnerable software in legacy products created well before the current level of criminality targeting connected devices. It will take many years for organisations to pay off this debt, in fact it is more likely that the devices become obsolete and are discarded than the security holes in them are fixed during their useful lifetime.”
James Brown, Global Vice President, Technology Solutions at Alert Logic:
“The home router; the backdoor someone else left open… This has been an issue before, and this will not be the last time. Any form of widely distributed device or software is likely to be a target for hackers. It allows them to target the maximum number of people with the minimum amount of work. In this case, it has created an open backdoor in a large number of households, allowing the attackers to eavesdrop on the network. That could be your credit card details as you shop online, your banking credentials as you check your account or even access to your company data if you are working from home.”