Skip to main content

Vulnerabilities Found In Consumer Based Routers And Devices

By September 30, 2019May 16th, 2022Cybersecurity

The SOHOpelessly Broken 2.0 study has been released by Independent Security Evaluators .

The picture it paints of routers and the so-called ‘smart’ devices that make up the rapidly expanding Internet of Things (IoT) is not pretty.

The researchers sum up their findings as follows:

“Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries.  This research project aimed to uncover and leverage new techniques to circumvent these new security controls in embedded devices.”

The research team investigated several SOHO routers and NAS devices offered by a range of manufacturers, including:

  • ASUS
  • Asustor (a subsidiary of ASUS)
  • Buffalo
  • Drobo
  • Lenovo
  • Netgear
  • QNAP
  • Seagate
  • Synology
  • TerraMaster
  • Xiaomi
  • Zioncom
  • Zyxel

Sadly, devices from every manufacturer listed above had at least one web app vulnerability that could allow a remote attacker to gain access to the administrative panel of the device in question.  Worse, the researchers reported that they were able to obtain root shells on 12 of the devices, giving them complete control. In six cases, they were able to gain complete control remotely and without authentication.

The most at-risk routers the group tested are the:

  • Asustor AS-602T
  • Buffalo TeraStation TS5600D1206
  • TerraMaster F2-420
  • Drobo 5N2
  • Netgear Nighthawk R9000
  • TOTOLINK (Zioncom) A3002RU

Since the publication of the SOHOpelessly Broken 1.0 report, the research team did say that the general state of security on IoT devices had improved somewhat. That’s a low bar given the sorry state of IoT security to begin with.  While things have no doubt improved, there are still miles to go before IoT security could be called anything approaching robust.

In fact, many of the IoT devices being sold today still lack basic web application features like browser security headers and anti-CSRF tokens.  Until these kinds of issues are addressed, the conclusions fronted by the SOHOpelessly Broken 3.0 report won’t be much better than they are now.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.