The discovery of multiple backdoors and vulnerabilities in FibreHome routers was announced this week. FibreHome Technologies is a leading equipment vendor and global solution provider in the field of information technology and telecommunications. There was at least 28 backdoor accounts and several other vulnerabilities found in the firmware of a popular FTTH ONT router found in a report published last week.
<p>This is just another example of extremely poor IoT security, similar to how some of the Android BusyBox deployments got hacked in 2016, which later led to a rapid increase in the scale and bandwidth utilised during DDoS attacks.</p> <p><br />Previously, this was referred to as a misconfigured admin panel, while now it’s described as a backdoor. The root cause appears to be nearly the same, default credentials on an unspecified port. Should these devices have this capability, who has access, and why do they require access, are questions that need to be asked. This is especially important with the increase in remote working, as organisations may provide a secure laptop for remote work, but a poorly secured router would undermine such controls.</p> <p><br />I would be concerned that these implementations would breach some of the laws that have recently been suggested in some jurisdictions, notably the UK’s recent laws which directly target poor implementations of devices such as the below example, with Digital Minister Matt Warman stating “It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.” It should be mandated by legislation, or the provision of a quality “Kitemark”, to signify that a device has satisfied the minimum security requirements in order to be rolled out for IoT.</p>
<p style=\"font-weight: 400;\">How severe are these vulnerabilities that have been discovered?</p> <p style=\"font-weight: 400;\">The issues and vulnerabilities discovered here are serious in nature. They are, however, endemic of what we have been seeing in SpiderLabs for a number of years. We blogged in April, 2018 about organisations correctly firewalling their IPv4 interfaces but leaving their IPv6 interfaces exposed: <a href=\"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/using-ipv6-to-bypass-security/\" data-saferedirecturl=\"https://www.google.com/url?q=https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/using-ipv6-to-bypass-security/&source=gmail&ust=1611154939140000&usg=AFQjCNEksQLIeUxUtJ_E06LnxZCE_Yt9Sw\">https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/using-ipv6-to-bypass-security/</a>. </p> <p style=\"font-weight: 400;\"> </p> <ul> <li style=\"font-weight: 400;\">What type of information could be leaked from gaining access to these routers?</li> </ul> <p style=\"font-weight: 400;\">With the ability to compromise these devices, it is now possible to be able to capture all traffic that traverses this device.</p> <p style=\"font-weight: 400;\"> </p> <ul> <li style=\"font-weight: 400;\">The next steps FibreHome needs to take to ensure the data is protected and the risk is reduced.</li> </ul> <p style=\"font-weight: 400;\">To gain any sort of assurance around the use of devices like these, an SDLC (Secure Development Lifecycle) process needs to created within the development lifecycle. Aligned with robust SDLC, devices should undergo regular penetration testing to ensure the robustness of the SDLC process.</p>