Private I: The network vulnerability is coming from inside the house!

There's no doubt that networked resources like printers, scanners, and storage devices have a huge degree of utility. But cheaper and older peripherals don't always have the gumption to connect via Wi-Fi or ethernet. USB is the only option, or at the least, it's far cheaper. Networking USB devices is thus a clever workaround. Apple has supported external access to printers via AirPort Express since 2004, and to storage via its AirPort Extreme and Time Capsule base stations since 2007.

A licensed technology called NetUSB made by a Taiwanese firm has extended the same sort of capability to many millions of routers and other network hubs, including those made by Netgear and Zyxel. Using client software available for OS X and Windows, USB devices can be plugged in and then accessed almost like a shunt--as if the device were plugged locally to the computer--rather than a network-shared item as with Apple.

And researchers at SEC Consult have discovered that the software has a simple local exploit that comes from sending a router or other hardware with NetUSB installed a computer name that's longer than expected. This flaw allows the networking hardware to be potentially hijacked, which could result in firmware being overwritten with malicious software and the ability to use the router as a way to monitor traffic and distribute malware to susceptible machines on the same network.

While the software seemingly uses robust encryption for authentication between the client software and the networked hardware, the encryption keys are baked into software and simply retrievable, as well as being identical across all versions of the software. This escaped or wasn't considered as part of the due diligence of the hardware makers licensing the software.

What can you do about it? Of the many companies that distribute the NetUSB software with their products, only one has produced updated firmware or options to remove the flaw or mitigate the vulnerability by disabling the feature. The only way to solve the problem is replace the affected hardware or hope the vendor ultimately releases an update.

What's at risk

This exploit has to be carried out over a local network, at least in the scenario described by SEC Consult. If a gray-hat or black-hat hacker develops and distributes an easily used crack, then cafés and other public places that use routers with unpatched and enabled versions of NetUSB could be at risk.

While it's much harder to launch effective proximity attacks, because an attacker has to visit the location to carry it out, some spots are valuable because they have computer-based cash registers or other data on the network that can be accessed and used to transfer money or gather data for identity theft.

It's unknown how many attacks originate in public, rather than over the Internet. But having easily exploited, widely used devices susceptible without patches available certainly opens up an opportunity.

SEC Consult also found that some devices--though not ones they tested--expose access to the USB device over the Internet at a specific port. If that turns out to be the case on a broad scale, we'll immediately see attempts to use that vector, which turns it into a global problem rather than a local one. This has happened repeatedly with exposed services, like web-enabled cameras and screen-sharing software.

The researchers found that nearly 100 models affected out of major vendors whose firmware disk images they tested could be vulnerable. Many others could also be susceptible. At least millions of routers are at risk. Despite following responsible disclosure practices, only TP-Link has released updates. The other makers have fallen down.

Open says me

The NetUSB case is all too common. Networked hardware, including set-top boxes, Wi-Fi routers and broadband modems provided by telephone, cable, and other television-service companies, is rarely updated to fix security flaws. If a company or its software module provider create updates, most hardware doesn't notify you of fixes.

I've been writing stories for years about these risks, both to educate readers and potentially provide fodder for product managers or others inside companies trying to get the funding or support to have an ongoing path for security upgrades and user notifications. Most mainstream hardware churns so quickly through product options and technical specs that any model you buy is simply dropped from a support path not long after it's made.

Better brands support products longer, but not as long as they can be useful. Apple's record on this front is mixed, as I and many others have written. It gets away with dropping support for older but not very old versions of OS X and iOS with security upgrades because it generally offers upgrades to years-old gear and provides fixes for exploits back at least one version.

Because so many Apple product users upgrade to newer OS versions quickly, the exploit target for older users rapidly becomes so small, there's little incentive for criminals (or even vandals) to go after these old problems.

Networked devices change the equation, and Apple has a much better track record at patching Wi-Fi routers dating way, way back. Apple's chain of firmware updates (including a few stinkers later fixed) for its 802.11n routers allow every Extreme and Time Capsule model it made between 2007 and 2013 to be upgraded. The introduction of 802.11ac in mid-2013 started a new chain, but I still expect firmware updates if security flaws are discovered in the older devices. (The last 802.11n update for them was in 2013 after the 802.11ac base stations had shipped.)

By default, AirPort Utility on every computer on which it's installed will alert you to new firmware and other potential security issues on Apple base stations unless you disable those notices. This is also a great way to push people towards updates.

There's no central body in the hardware industry nor in most countries a regulator responsible for ensuring updates are made available and distributor. It's entirely up to the companies making it unless fraud or other criminal matters are concerned, in which case agencies like America's FTC or FCC can get involved, depending on the product, and compel updates or sue to force them.

It's a sad problem for consumers who are the victims of these practices, and I expect I'll be writing about this again and again and again until some set of collective responsibility emerges--or a sufficient liability becomes exposed.

Join the CSO newsletter!

Error: Please check your email address.

Tags networking hardwareAppleNetworkingsecurityZyxelnetgearroutersairport

More about AppleApple.FCCFTCSECTP-Link

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts