IoT Cloud Cracked by 'Open Sesame' Over-the-Air Attack

Internet of Things (IoT) vendor Ruijie Networks has shored up its Reyee cloud management platform against 10 newly discovered vulnerabilities that could have given adversaries control of thousands of connected devices in a single cyberattack.

The Fuzhou, China-based infrastructure maker's Ruijie Networks devices, are commonly used to provide free Wi-Fi in public settings like airports, schools, shopping malls, and governments across more than 90 countries.

A pair of researchers from Claroty Team82 have developed an attack they named "Open Sesame" that they used to successfully take control of Rujie Networks devices through its cloud-based Web management portal for remote monitoring and configuration.

"The Ruijie Reyee cloud platform lets admins remotely manage their access points and routers," researchers Noam Moshe and Tomer Goldschmidt explained in a statement. "By exploiting these vulnerabilities, attackers could access these devices and the internal networks to which they connect. Our research found tens of thousands of potentially affected devices worldwide."

Moshe and Goldschmidt presented their findings in a presentation titled "The Insecure IoT Cloud Strikes Again: RCE on Ruijie Cloud-Connected Devices" at Black Hat Europe 2024 this week.

Of the 10 CVEs outlined by a new Claroty Team82 report, all of which have been patched by Ruijee, three received CVSS scores of 9 or higher: CVE-2024-47547, a weak password recovery bug with a CVSS score of 9.4; CVE-2024-48874, a server-side request forgery vulnerability with a CVSS score of 9.8; and CVE-2024-52324, flagged as a "use of inherently dangerous function," also with a 9.8 CVSS score.

"The most serious vulnerability we discovered was the vulnerability allowing devices to impersonate the Ruijie cloud platform, sending commands to other devices," the Clarity researchers said.

The collection of bugs allowed remote code execution (RCE) on devices connected to the Ruijie cloud platform, they explained.

"An attacker would be able to exploit weak authentication mechanisms to generate valid device credentials," the research team commented. "After authenticating as a device, we discovered that the attacker could impersonate the Ruijie cloud platform and send malicious payloads to other devices in its stead, gaining full control through legitimate cloud functionality."

Open Sesame Attack

As spectacular as taking over 50,000-plus IoT devices at one time would be, the Claroty researchers suspect that not many adversaries want that kind of attention. Instead, they predicted, threat actors armed with these bugs would take a more low-profile approach, taking over specific devices in distinct locations.

"Exploiting this vulnerability at scale could alert the vendor, who would issue a fix to the vulnerabilities needed for this exploit," according to a blog post detailing Claroty's findings. "In addition, many attackers would simply not gain anything by mass-exploiting tens of thousands of devices; this is only relevant in the case of an attacker attempting to build a botnet. Instead, most attackers would take a more targeted, stealthy approach."

With this in mind, the Claroty team built the Open Sesame attack scenario, allowing them to execute code on a vulnerable Ruijie device with nothing more than a serial number.

To make it work, an attacker needs close proximity to a Wi-Fi network using Ruijie access points to sniff out the raw beacons sent out by the Wi-Fi network for users to find and connect. That beacon also contains the device's serial number.

"Then, using the vulnerabilities in Ruijie's MQTT communication, an attacker could impersonate the cloud and send a message to the target device (identified by its SN the attacker leaked)," the blog post added. "This will result in the attacker supplying a malicious OS command for the device to execute, resulting in a reverse shell on the attacked Ruijie access point, giving the attacker access to the device internal network."

The researchers went on to explain that they hope this work highlights how the porousness of clouds can become a big vulnerability for IoT networks.

"Team82's research on Ruijie's infrastructure further exposes how vulnerable devices that are insecurely connected to, and managed through, the cloud can be," the report said.