Researchers have discovered that 31 models of the Netgear home router contain critical flaws that make them vulnerable to hackers. These latest vulnerabilities come only months after “Command Injection” based flaws were found in Netgear devices last year. IT security experts from the prpl Foundation and Lastline and Rapid7 commented below.
Art Swift, President at the Prpl Foundation:
“Unfortunately the vast majority of manufacturers focus solely on time to market with security as an afterthought. Good security is at least half about good management of the product, yet the consumer technology industry prioritises the user experience over everything else. Regulators must understand this and so should impose a bare minimum standard for security updates – forcing manufacturers to administer these, so devices are not left unpatched for too long. If there is this shift of responsibility from the end user to the vendor, it demands a secure infrastructure extended into the device itself, for instance:
- Secure boot – ensure IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the “Root of Trust” into the hardware to make it tamper-proof.
- Hardware virtualisation – this enables separation of each software element, where a system can be designed that keeps critical components in secure isolation from the rest and prevents lateral movement. This can allow consumers to enhance and modify their products whilst crucially allowing regulators to prohibit and lock down modification of any function deemed ‘too dangerous’.
“The not-for-profit prpl Foundation has created the Security Guidance for Critical Areas of Embedded Computing, a peer-reviewed and actionable framework that brings into focus three areas to make IoT more secure: using open source, forging a root of trust in hardware and security by separation using hardware virtualisation. Interoperable, open standards are the key requirement for developers in order to improve IoT security even in the smallest of connected devices – it will help reduce that complexity by effectively outsourcing the trickiest work to the subject matter experts. Using this framework, developers can ensure they are layering security appropriately to make it more difficult for hackers to exploit of all of these devices. It’s about awareness and education and letting developers know that there is a better way that won’t impact negatively on design or innovation.”
Brian Laing, VP at Lastline:
“There are a number of tools developers can run on their code in development that will find some security issues in the code itself. Many vulnerabilities, for example, are caused by poor checking of input values. There are tools that can find these types of issues. Developers can also assume the worse intentions and bombard their solution with information they would not normally expect and in ways they would not normally expect. This will allow them to uncover vulnerabilities they may not have found otherwise.
“The best defence is to use the router and settings, like disabling remote management, to protect the router. Commercial grade routers often need to be remotely administered. In those situations connection rules are used to limit access to only a few specific IP addresses. There are a number of different best practices guides for configuring routers to help prevent attacks. These should be followed, there are even vendor specific ones that cover features vendors may have specifically to prevent attack.”
Tod Beardsley, Senior Research Manager at Rapid7: