May 25, 2015 Leave a comment
This week, security researchers found a major vulnerability affecting scores of home and SOHO Wi-Fi router products from over 20 of the biggest names in the market. That such a widespread flaw could go unnoticed and that it went unpatched for so long despite the researchers’ best efforts is a sad reflection on the commercially minded “sales first, security second” attitude of the technology industry and of the gaping holes that exist in the supply chain.
But it also raises questions about whether, instead of focusing on security at the software and network level, we should instead start looking down to build protections into the silicon in order to reduce the attack surface area.
The vulnerability found by SEC Consult affected a software component known as NetUSB. It’s a proprietary technology developed by Taiwanese firm KCodes which allows users to plug peripherals directly into their Linux-based routers so they can be accessed over IP. These peripherals – such as printers, USBs and external hard drives – are made available via the network using a Linux kernel driver which launches a server. This connects to Windows/OS X-supported server software to allow the user to experience “USB over IP” functionality.
However, to establish the server/client connection, authentication is required. Unfortunately, the client can specify the length of the computer name, and by specifying a name longer than 64-characters a stack buffer overflow is possible. Not only that, but the server code runs at the kernel level – bypassing any security measures that might have in place.
This rare remote kernel stack buffer overflow vulnerability could theoretically enable a denial of service or, worse still, execution of arbitrary code which could allow attackers to completely take over a device.
Why should we care?
Aside from marveling at the fact that buffer overflows are still occurring years after the industry was meant to have fixed them, corporate IT managers might well be thinking “so what?”. Well, it’s potentially a big deal for the corporate world too. Targeted attackers today are after corporate data – we all know that. But one of the easiest ways to get into systems is by compromising staff usernames and passwords. These days it is very common for employees to occasionally connect from home and then login into corporate systems. Compromise the home network, and hackers could well find themselves with the keys to the corporate accounts.
Such tactics are now commonplace amongst cybercriminals and contributed to a huge increase in the number of data breaches from 2013 to 2014. According to Verizon Data Breach Investigations Report 2015, 95% of these corporate incidents involve credentials stolen from users’ devices.
Time to change
This incident has been repeated countless times before and doubtless it will happen numerous times in the future. Why? Because products are rushed out with flaws in them, components are reused across the supply chain with little attempt to check their provenance, and vendors too often ignore researchers when they alert them to serious security holes.
It’s almost unthinkable that a developer today could have designed a product with a buffer overflow flaw in it. To overlook an element like the length of the computer name is so basic it’s almost laughable. But it’s not just KCodes that’s to blame. This vulnerability is symptomatic of an industry where components are used and reused across the supply chain, with little or no due diligence applied as to their quality. It’s like a chef cooking without checking the provenance of his ingredients. Unless we fundamentally change this behavior, more incidents like this will emerge.
But worst of all perhaps is the response from the vendor community. SEC Consult contacted KCodes back in February with a detailed analysis of the vulnerability including proof of concept exploit code. The research firm was simply ignored. Of all the 20+ home router vendors contacted, only TP-LINK had released fixes for its products at the time SEC Consult went public. This is despite the fact that on some devices NetUSB can’t even be disabled. It’s no surprise that 99.9% of exploited vulnerabilities were compromised more than a year after the CVE was published, according to Verizon.
Vendors must get quicker and smarter about patching. There’s simply too much at stake not to. And even when an update is available it can be a challenging task for a home user to apply it. This means many such devices go unpatched, which in turn exposes enterprises to an elevated risk of breaches.
A new way: hardware-level security
This flaw was unusual but far from unique. Countless pieces of software today are set to run at the root level – which is just about the worst thing you can do from a security perspective. It means all the security checks and balances one would normally put in around roles, privileges and so on simply evaporate – leaving devices completely exposed. It’s yet another reason why today’s security model is broken.
So what do we replace it with? In short, it’s time we started addressing security at the hardware level. We need a new approach which leverages the power of virtualization to create multiple secure ‘domains’. These individual containers can operate completely independently of each other, keeping different operating systems and applications isolated and completely secure – massively reducing each container’s attack surface area. All of this can be achieved with no performance hit thanks to the explosion in the processing power of next generation CPUs, availability of hardware-level virtualization support and pervasive multithreading.
If the NetUSB fiasco has taught us anything it’s that there are multiple points of failure with the current way of doing security – from the faulty code, to supply chain weaknesses and vendor indifference. The future lies with silicon-level security.
Ask yourself: Do you access your corporate email from home? Do you regularly enter any sensitive corporate passwords from laptops or smartphones connected to your home Wi-Fi router? Do you know if your home router is vulnerable to this major flaw? When was the last time you updated the firmware of your home router? Do you even know how to do it?