The Unintended Attack Surface Of The Internet Of Things

Researchers at Vectra Threat Labs recently performed a detailed analysis of vulnerabilities found in a common Belkin wireless repeater. And while a consumer WiFi product may seem like an odd choice for intensive threat research, vulnerabilities in consumer and Internet of Things gear can end up having a much larger impact on enterprise security than you might think.

It’s no surprise that end users are almost always the initial targets of attackers, and vulnerabilities in users’ consumer devices can enable that all-important initial infection. Vulnerabilities in a wireless repeater, like those analyzed by Vectra Threat Labs, provide a natural opportunity to man-in-the-middle a user, and redirect or manipulate user traffic in the process.

Even more important is the fact that consumer technology provides a preview of the types of challenges that enterprises are already beginning to face with the rise of the Internet of Things. Let’s take the Belkin vulnerabilities as a case in point. The vulnerabilities all share a fairly simple coding error in which the code takes input from a user and passes it directly to the operating system.

For example, the system may be expecting user input such as the user’s PIN, but an attacker could input commands to reboot the device, which the system would dutifully execute. It is also important to note that these sorts of vulnerabilities are not rare. The SOHOpelessly Broken contest at DEFCON revealed a variety of vulnerabilities in consumer routers.

In the Belkin case, insecure coding practices are the tip of the iceberg. The bigger issue is the duration of time these vulnerabilities have existed in the wild. The original Belkin firmware was dated June 27, 2012, and the first and only update was dated May 6, of 2015. The vulnerability existed unpatched for just shy of 3 years. In addition, the HP Tipping Point Zero Day Initiative first reported the vulnerabilities to Belkin on November 11, 2014. The coordinated advisory did not occur until July 20 of 2015. This means that there was an 8-month lag between disclosure and the fix.

Unfortunately, this sort of response time is likely to become more common with consumer and IoT devices. For example, a company that sells industrial HVAC equipment decides to add network connectivity to its products to improve manageability of the unit. Since networking is not its core business, the company chooses to outsource the network integration to a third party that may or may not use secure coding practices. Once the project is complete, the code could remain unchanged and effectively unsupported.

Stopping every unknown exploit against a wireless repeater, air conditioner, or any of the thousands of other devices on the market is an impossible task. But as IoT subtly creeps into an organization, the combination of poorly written code and infrequent updates will surely lead to a broader and less manageable attack surface. It’s time for the modern enterprise to take notice.