July 25, 2017 | By Yacin Nadji
On Saturday, July 29, details of numerous vulnerabilities found on consumer wireless gateways and set-top boxes will be revealed at DEF CON 2017 in Las Vegas. What began as a search, by Bastille Networks and Web Sight Io, for a method to derive default keys for wireless routers resulted in 26 common vulnerabilities and exposures (CVEs). Many of them are critical; for example, remote root code execution and arbitrary file reads—both from the Internet—as well as a priori generating lists of hidden wifi SSIDs and passphrases based solely on their geographic region. Many target the Reference Design Kit (RDK) platform, an open-source framework for customer-premises equipment (CPE), such as wireless gateways and set-top boxes. This suggests that many vendors are vulnerable, putting millions of ISP customers at risk.
IISP Analyst Yacin Nadji: "I was always leery of the combination router/modem devices rented out by ISPs due to frugality and distrust (I'll keep my $9/month—thank you very much) and was worried about security issues. While the technical details are interesting, I was more interested in the implications of the findings with respect to software homogeneity, and a sensitive patch cycle that no doubt plagues RDK developers.
First, while consolidating the software systems for wireless gateways and set-top boxes has practical benefits (e.g., it eases development, deployment, and the creation of new features), a downside is the sheer size of the vulnerable population if something were to go awry – as in our current situation. Hopefully this makes patching those vulnerabilities and updating the devices easier, however, evidence suggests that this proposition will be overwhelming and time consuming for developers.
Second, the open-source nature of the project has some pluses and minuses. More eyes and more hands get to pass over the code and make it easier for security researchers to find additional flaws. Conversely, public diffs allow would-be miscreants to gain some insight into the vulnerabilities. Worse yet, some vulnerabilities may be described, fixed, but not merged into the main source tree leaving users at risk. This process also requires the vendor to maintain a strict and fast patch cycle: if fixes come quickly, but vulnerable users' devices are not updated, attackers are gifted with a window of opportunity for nearly free exploitation. This highlights the procedural barriers that often are overlooked when it comes to security, particularly as ISPs begin to enter the device market with more gusto."
For further reading
- DEF CON talk abstract: https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Newlin
- Recently "closed" vulnerabilities: https://code.rdkcentral.com/r/#/q/status:closed+vulnerability