KRACK is Just The Tip of the Wi-Fi Router Security Vulnerability Iceberg

0
109

By Tae Jin “TJ” Kang

By lining homes, offices and industrial sites with wireless sensors and devices, we continue to set the stage for profound changes in productivity, security, and entertainment. Open Source Software (OSS), in its entirety, has prompted the emergence of these devices and applications that have succeeded in driving productivity and lowering costs. In fact, open source is so prevalent that more than 90% of software and firmware contains open source code elements.

While open source drives software development innovation, its accessibility acts as a roadmap for hackers to disrupt, destroy or steal valuable, sometimes personal, information. To prevent such attacks, the open source community does an excellent job of publicizing security vulnerabilities and addressing them through the delivery of update patches.

But one major concern for business and home customers remains – how frequently do OEMs adopt the latest versions of OSS components with patched security vulnerabilities?

One of the most common wireless communications devices is Wi-Fi routers. With the uproar surrounding the Wi-Fi KRACK WPA2 security vulnerability, and the important role wireless plays within both home and industrial settings, we thought it would be interesting to see what known security vulnerabilities still lurk within the firmware of leading Wi-Fi routers, several months after “KRACK’s” unveiling.

Consequently, our team completed a comprehensive binary code scan for known security vulnerabilities in firmware used by the most popular home, small-to-medium sized business (SMB) and enterprise-class Wi-Fi routers. The findings show that while KRACK may be the newest and potentially most harmful WPA2 security vulnerability, the firmware offered by router manufacturers contains numerous known security vulnerabilities that can be exploited by hackers.

The firmware provided for home and business routers is posted on vendors’ websites and well-known, third-party download sites. Our research and development team examined the firmware supplied by the most popular home and enterprise Wi-Fi router manufacturers. We were surprised to find that all of the router firmware contained security vulnerabilities, with some containing quite a few. While KRACK WPA2 is the latest Wi-Fi security vulnerability, it appears to be just the tip of the iceberg, compared to what currently exists in router firmware.

About the Study
During the last two weeks of December 2017, our research & development team scanned 32 pieces of Wi-Fi router firmware offered in the U.S., Europe, and Asia by more than 10 of the most popular home, SMB and enterprise-class Wi-Fi router manufacturers. The Wi-Fi router firmware examined was produced for ASUS, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link.

Following are some of the key findings:

  • The binary scans indicate that the Wi-Fi router firmware sold by the top manufacturers contains versions of open source components with security vulnerabilities
  • Interestingly, most models’ firmware contains “Severity High” and “Severity Middle” security vulnerabilities, meaning that the deployed products and firmware updates remain vulnerable to potential security threats.
  • The examination shows that a majority of the models’ firmware makes use of open source components with more than 10 “Severity High” security vulnerabilities, while 50% of the firmware uses open source components containing “Severity Critical” security vulnerabilities.
  • The firmware’ open source components containing “Severity Critical” security vulnerabilities have been identified below. These results indicate a trend among vendors to not make use of the correct, up-to-date versions of these software components.
    o WPA2 (KRACK) – Key reinstallation attack;
    o ffmpeg – Denial of Service (DoS);
    o openssl – Denial of Service (DoS), buffer overflow and remote code execution;
    o Samba – Remote code execution.
  • All of the firmware leverage busybox and samba by default, with more than 60% of which use OpenSSL.
  • Significant security issues arise from OpenSSL, which should prompt vendors to consistently apply the latest patches or use the version of the software that contains the fix.
  • This study demonstrates that much of the firmware does not utilize the correct, most up-to-date versions of the OSS components available.

The open source community has created new versions of the components to address all of the previously listed security vulnerabilities. Vendors can employ these versions to prevent data breaches and subsequent litigation that can cause significant corporate losses. Interestingly, during discussions with various vendors, we encountered one manufacturer who expressed a preference in manually applying patches, line by line.

Though this ad hoc approach to addressing vulnerabilities may be used by others, it appears to be the exception, rather than the rule. Additionally, while this method may work, it is still recommended that firmware developers scan their binaries to ensure that they catch and address all known security vulnerabilities.

The findings suggest two possibilities for the failure to use the correct component version by Wi-Fi router vendors. Either the home, SMB and enterprise-class router vendors do not consider these vulnerabilities worth addressing, or they do not use a system that accurately finds and reports known security vulnerabilities in their firmware.

We strongly believe in the evergrowing power and potential of wireless devices and applications. However, if Wi-Fi router vendors are unable to employ the latest, vulnerability-free OSS versions in their firmware, the possibility of data theft and business disruption can be significantly debilitating. We encourage all wireless device and application vendors to redouble their energies to patch known security vulnerabilities. We also recommend that consumers, businesses and security MSPs to download and install these patches in a timely manner.

About the Author
Tae Jin “TJ” Kang is a technology industry executive and entrepreneur. He is the president and CEO of Insignary. In addition to founding a number successful technology startups, Mr. Kang has held senior management positions with global technology leaders that include Korea Telecom and
Samsung Electronics, among others. Mr. Kang can be reached online at tjkang@insignary.com and at our company website www.insignary.com