Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday September 27 2019, @05:11AM   Printer-friendly
from the is-anyone-surprised? dept.

Submitted via IRC for Bytram

125 New Flaws Found in Routers and NAS Devices from Popular Brands

Believe me, there are over 100 ways a hacker can ruin your life just by compromising your wireless router—a device that controls the traffic between your local network and the Internet, threatening the security and privacy of a wide range of wireless devices, from computers and phones to IP Cameras, smart TVs and connected appliances.

In its latest study titled "SOHOpelessly Broken 2.0," Independent Security Evaluators (ISE) discovered a total of 125 different security vulnerabilities across 13 small office/home office (SOHO) routers and Network Attached Storage (NAS) devices, likely affecting millions.

"Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries. This research project aimed to uncover and leverage new techniques to circumvent these new security controls in embedded devices," the researchers said.

[...]SOHO routers and NAS devices tested by the researchers are from the following manufacturers:

  • Buffalo
  • Synology
  • TerraMaster
  • Zyxel
  • Drobo
  • ASUS and its subsidiary Asustor
  • Seagate
  • QNAP
  • Lenovo
  • Netgear
  • Xiaomi
  • Zioncom (TOTOLINK)

According to the security researchers, all of these 13 widely-used devices they tested had at least one web application vulnerability that could allow a remote attacker to gain remote shell access or access to the administrative panel of the affected device.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by Snospar on Friday September 27 2019, @07:54AM (3 children)

    by Snospar (5366) Subscriber Badge on Friday September 27 2019, @07:54AM (#899471)

    I read the article (I know, I know) to see what the issues with the Synology kit were and they list the device in a table with no ticks against any of the vulnerabilities. They're also using an old version of the system software. Not very helpful or useful but I'm sure plenty of Synology owners will click through just like me.

    --
    Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.
    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 3, Interesting) by zocalo on Friday September 27 2019, @09:10AM (2 children)

    by zocalo (302) on Friday September 27 2019, @09:10AM (#899482)
    Yeah, I think researchers do this on purpose to make their findings look more impressive. Technically, yes, in this case Synology is vulnerable, but only if you're not up-to-date on firmware which the more security concious users probably are. Unless they're providing some level of triage between "no known patch / patch available / patched some time ago" to help users assign a level of urgency then I think this is a little disingenuous, to say the least. Worst case, it encourages users to get complacent about their devices; "Oh, it was already fixed the last few times so I can probably ignore that for now and catch up on it later..."
    --
    UNIX? They're not even circumcised! Savages!
    • (Score: 5, Insightful) by https on Friday September 27 2019, @07:41PM (1 child)

      by https (5248) on Friday September 27 2019, @07:41PM (#899687) Journal

      Did you miss the part in the article in which they explicitly said that they had addressed this?

      Our targets were all updated to the latest supported publicly-available firmware...

      Did you also miss the chart showing that they were not able to get past the protections of the Synology DS218j? Not even so much as a buffer overflow?

      --
      Offended and laughing about it.
      • (Score: 3, Touché) by zocalo on Saturday September 28 2019, @08:52AM

        by zocalo (302) on Saturday September 28 2019, @08:52AM (#899844)
        Did you miss the point of my comment being more about the nature and potential implications of vulnerability researchers inflating their claims (e.g. yes, I absolutely realised the Synology wasn't vulnerable)? They list Synology in the headline list and say it's vulnerable ("all of these 13 widely-used devices..."), but as you just pointed out they couldn't exploit the Synology with the latest firmware installed, and even the version they did exploit is way out of date and doesn't even have the current *major* version number.
        --
        UNIX? They're not even circumcised! Savages!