Hackers Use Zero-day To Mass-wipe My Book Live Devices

<p>This is a particularly interesting case because we don’t often see widespread zero-day attacks like this and there is no clear motivation for the attacks. As far as I know, targets were indiscriminate and did not focus on a particular region or userbase. The attacks may have been someone’s attempt to draw attention to poor IoT security practices or it may have just been someone in it ‘for the lulz’. It’s possible that we’ll never know who was behind this campaign or why.</p> <p>&nbsp;</p> <p>The vulnerability itself is also interesting. This was enabled by an authentication bypass in the factory reset functionality, but a review of that script shows that the authentication handling code had been commented out. I suspect the product once enforced password authentication before reset but that this may have led to a usability issue such that the vendor made the conscious decision to disable password verification on this script. A researcher reviewing the firmware can then find this oversight, recreate the appropriate request, and trigger a factory reset without a password. The fact that a vendor would intentionally ship code like this on a product which is regularly exposed to the Internet is alarming.</p> <p>&nbsp;</p> <p>It is unfortunately very common to find that vendors take shortcuts with respect to authorization and authentication on embedded devices in order to simplify the user experience. Without serious third-party scrutiny, it is nearly impossible for the average consumer to get a sense of whether any given product has been designed securely. When buying IoT gadgets, consumers must consider the consequences of an attack against this system and use this to inform their behavior. Having your own “cloud storage” device is great, but if disclosure or destruction of this data would be devastating, it is critical that the system be secure.</p>