Hackers this week took advantage of online instructions to target some Cisco WiFi routers. The attacks come on the heels of the vendor issuing a software patch for the critical security vulnerabilities.
The attacks occurred after security research firm Pen Test Partners posted a blog containing demonstration code on how to exploit the routers. The firm was involved in initially finding the vulnerability.
Cisco noted that the vulnerability occurs in the web-based management interface of three routers: RV110W, RV130W and RV215W. It reportedly impacts about 12,000 devices in the U.S., Canada, India, Argentina, Poland, and Romania.
The vulnerability, known as a Remote Command Execution (RCE) vulnerability, was ranked as “critical” by Cisco, with a 9.8 score (out of a possible 10) on the Common Vulnerability Scoring System. The high rating reflects the ease in attacking the devices remotely over the internet by hackers who also don’t need advanced coding skills.
An unauthenticated remote attacker could use the vulnerability to execute arbitrary code, Cisco explained. It isn’t clear from Cisco’s report how attackers might take advantage of such access, but they presumably would be able to monitor secure personal data including passwords.
Three security researchers, including one from Pen Test Partners, announced the vulnerability at the GeekPwn Shanghai conference in late October. They didn’t provide technical details or mention the impacted products at the time, although Cisco thanked them for their work.
In its blog post, Pen Test Partners criticized Cisco coders for using an insecure function in the C programming language known as strcpy (shorthand for “string copy”) when the routers were first designed. Using strcpy left the authentication process in the routers open to a buffer overflow, allowing attackers to flood the password field and attach malicious commands. “It is well known – notorious even – that strcpy is a dangerous function to use,” the blog said.
That blog entry, which was posted on Feb. 28, included code describing how an attack could happen.
Bad Packets Report tweeted on March 1, that it detected an uptick in internet scans by attackers likely looking for the vulnerable routers who had relied on the code published by Pen Test Partners.
Cisco issued a guarded statement via email to SDxCentral, noting that when it works with security researchers, “many choose to publish their work after the vulnerability fix is released. We appreciate the researchers disclosing the involved security vulnerability in a responsible and coordinated way.”
Cisco added that it “maintains a very open relationship with the security research community and views this collaboration as vital to helping protect our customers’ networks.”
Jack Gold, an analyst at J. Gold Associates, said both Cisco and Pen Test Partners deserve some blame for the router attacks. “For a very long time, companies did not concentrate on security in WiFi routers at all,” Gold said. Cisco should have done “a better job of monitoring and testing their code.” And Pen Test Partners “could certainly have talked about the vulnerability without making sample code available that can lead to a hack.”
IoT Device Security
The vulnerability again raised questions about the security of IoT devices. Devices like the Cisco routers used in small offices and homes don’t normally get the same attention from security personnel. As a result, the devices typically are not updated with software patches as they would in a large organization.
“We’ve seen time and again that among IoT devices, routers are among the most exploited,” said U.S. Sen. Mark Warner (D-Va.), in an email to SDxCentral, when asked for his reaction to the Cisco router attacks. He expressed frustration that when he introduced a bill to set minimum security requirements on IoT devices, cable companies had asked for an exemption for their routers.