Researchers Discover 125 Vulnerabilities In Popular Routers And IoT Devices
Independent Security Evaluators (ISE) researchers started their investigation in 2013. Their first round of research focused on NAS and routers that were intended for home office use. Their second round titled “SOHOpelessly Broken 2.0” assess security vulnerabilities in a wide range of device. They chose 13 devices that “ranged from devices designed for general consumers to high-end devices designed for enterprise use.” They tested the following devices:
- Buffalo TeraStation TS5600D1206
- Synology DS218j
- TerraMaster F2-420
- ZyXEL NSA325 v2
- Drobo 5N2
- Asustor AS-602T
- Seagate STCR3000101
- QNAP TS-870
- Lenovo ix4-300d
- ASUS RT-AC3200
- Netgear Nighthawk X10 R9000
- TOTOLINK A3002RU
- Xiaomi Mi Router 3
* The issues researchers reported to Synology (Session Fixation and the ability to Query Existence of Arbitrary Files) were included in this table.
** Though the Drobo does not include a web application by default, ISE include vulnerabilities that appear in its optional web application here.
It is also important to note that only a handful of companies have acknowledged the researchers’ findings. Zionconm, Drobo, and Buffalo have not responded to ISE. Thankfully the other companies have either patched the security issues or are working toward improving them in the future. The researcher also hope that the manufacturers will start performing more rigorous assessments. Many of the vulnerabilities would have been discovered with some basic testing or through more fully developed bug bounty programs.
D-Link was recently sued by the Federal Trade Commission (FTC) over routers and IP cameras security issues. The Taiwanese corporation had been accused of leaving their customers vulnerable to attackers. D-Link and the FTC came to a settlement this summer and D-Link has promised to follow a ten year security oversight program that will be managed by a third-party.