The Unintended Attack Surface Of The Internet Of Things

How a vulnerability in a common consumer WiFi device is challenging today’s enterprise security.

Oliver Tavakoli, Chief Technology Officer, Vectra AI

September 29, 2015

3 Min Read

Researchers at Vectra Threat Labs recently performed a detailed analysis of vulnerabilities found in a common Belkin wireless repeater. And while a consumer WiFi product may seem like an odd choice for intensive threat research, vulnerabilities in consumer and Internet of Things gear can end up having a much larger impact on enterprise security than you might think.

It’s no surprise that end users are almost always the initial targets of attackers, and vulnerabilities in users’ consumer devices can enable that all-important initial infection. Vulnerabilities in a wireless repeater, like those analyzed by Vectra Threat Labs, provide a natural opportunity to man-in-the-middle a user, and redirect or manipulate user traffic in the process.

Even more important is the fact that consumer technology provides a preview of the types of challenges that enterprises are already beginning to face with the rise of the Internet of Things. Let’s take the Belkin vulnerabilities as a case in point. The vulnerabilities all share a fairly simple coding error in which the code takes input from a user and passes it directly to the operating system.

For example, the system may be expecting user input such as the user’s PIN, but an attacker could input commands to reboot the device, which the system would dutifully execute. It is also important to note that these sorts of vulnerabilities are not rare. The SOHOpelessly Broken contest at DEFCON revealed a variety of vulnerabilities in consumer routers.

In the Belkin case, insecure coding practices are the tip of the iceberg. The bigger issue is the duration of time these vulnerabilities have existed in the wild. The original Belkin firmware was dated June 27, 2012, and the first and only update was dated May 6, of 2015. The vulnerability existed unpatched for just shy of 3 years. In addition, the HP Tipping Point Zero Day Initiative first reported the vulnerabilities to Belkin on November 11, 2014. The coordinated advisory did not occur until July 20 of 2015. This means that there was an 8-month lag between disclosure and the fix.

Unfortunately, this sort of response time is likely to become more common with consumer and IoT devices. For example, a company that sells industrial HVAC equipment decides to add network connectivity to its products to improve manageability of the unit. Since networking is not its core business, the company chooses to outsource the network integration to a third party that may or may not use secure coding practices. Once the project is complete, the code could remain unchanged and effectively unsupported.

Stopping every unknown exploit against a wireless repeater, air conditioner, or any of the thousands of other devices on the market is an impossible task. But as IoT subtly creeps into an organization, the combination of poorly written code and infrequent updates will surely lead to a broader and less manageable attack surface. It’s time for the modern enterprise to take notice. 

About the Author(s)

Oliver Tavakoli

Chief Technology Officer, Vectra AI

Oliver Tavakoli is chief technology officer at Vectra AI. Oliver is a technologist who has alternated between working for large and small companies throughout his 25-year career — he is clearly doing the latter right now. Prior to joining Vectra, Oliver spent more than seven years at Juniper as chief technical officer for the security business. Oliver joined Juniper as a result of its acquisition of Funk Software, where he was CTO and better known as developer #1 for Steel-Belted Radius. Prior to joining Funk Software, Oliver co-founded Trilogy Inc. and prior to that, he did stints at Novell, Fluent Machines, and IBM. Oliver received an MS in mathematics and a BA in mathematics and computer science from the University of Tennessee.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights