Flaws in networking devices highlight tech industry's quality control problem
Security flaws discovered in common networking equipment could give malicious hackers a direct pipeline into data centers and business applications, even allowing them to remotely turn off power to critical听information systems and听industrial machinery.
Researchers at the Georgia cybersecurity firm听BorderHawk revealed to Passcode that听vulnerabilities听in a widely used听type听of business hardware known as听remote power managers (RPM)听may听affect thousands of companies across the country.
BorderHawk听would not reveal the name of the company that makes the flawed hardware.听But it is听advising businesses, which often rely on these kinds of network-connected devices to remotely manage听equipment, to ensure they aren't accessible听from the听Internet and听to make sure they have been听updated with newer software and firmware.
Unfortunately,听security researchers say听these types of vulnerabilities are not uncommon and are often difficult to detect.听As companies add more networking devices or control system equipment to their overall business operations, especially those that are cheaply made overseas, they are often plugging in insecure equipment rife with vulnerabilities.
"We see lots of different devices, but a lot of the same problems," said Billy Rios, chief executive officer of the security startup听Whitescope.
The issue can often be chalked up to poor quality control in the supply chain of manufacturing business networking equipment, which largely takes place in China, say experts.
"Hardware is a misunderstood, unknown territory," said noted electrical engineer and inventor听Joe Grand of Grand Idea Studio. "People buy a piece of hardware and take it for granted. They assume it is secure. They assume it does what it does and only does what it does."
Small, inexpensive, and insecure
BorderHawk didn't set out to search for vulnerabilities in RPM devices. While working on another project at a large energy firm, its researchers noticed a steady stream of alerts about unusual traffic on their client's network, said Matt Caldwell, the company's chief security researcher.听
He said the traffic was听disguised to look as if it came from a well-known defense contractor with no known connection to the听client. It听was destined for computers in France, South Korea, Russia, and Britain. It also appeared the traffic had been on the company's network for as long as a year.
That discovery set off a hunt for the origin of the traffic that ended with the听5-by-6 inch RPM device: simple network hardware听containing two power outlets to plug in equipment as well as an Ethernet and serial ports听for connecting to the network or directly to another computer.听
Caldwell said it is听difficult to know whether听RPM devices such as those studied by BorderHawk are merely the first entry point hackers can detect in an organization or whether hackers听are targeting the devices specifically.
After discovering the flaw, Caldwell's team attempted to contact the manufacturer,听to little effect. "They were elusive," he said. "They kept asking us what the [unique听machine听address] of the device was or demanding that we send the hardware back to them."
Since the vendor was uncooperative, BorderHawk听wrote its own, custom tool to extract the software from the device and analyze it. Researchers also went online and purchased different versions of the same device to analyze those.
They found听more reasons for concern.听A help file听in the product听contained a link to a known, malicious domain located in China.听An听analysis of the device firmware found undocumented features: hidden commands that could be used to dump a list of user accounts and passwords to access the device, and other commands whose function was unknown, said Caldwell.
BorderHawk's discovery isn't the first time that security researchers have uncovered problems in RPM devices.
For instance, Shawn Merdinger, chief information security officer at Valdosta State University in听Valdosta, Ga.,听听posed by iBootbar RPM devices deployed on corporate networks, but accessible from the public Internet,听at a recent security conference in Tampa, Fla.
More recently, the听security consulting firm听Senrio Inc. (formerly called Xipiter)听found similar听problems听to those identified by Border Hawk听in an听RPM device 鈥 the听NetBooter NP-02B 鈥撎齧ade by the Arizona听firm听SynAccess听Networks.听
One听hidden feature in the device's firmware听lets听anyone听remotely reset the NetBooter device to its factory default configuration 鈥 an action that would sever it from the network.听Another听allows听anyone to modify network and system settings. A third, hidden function could be used to extract data (like a recently entered password) stored in the device鈥檚 memory, according to Stephen Ridley, a principal at Senrio. 听
In many cases the hidden functions can be used without needing a user name or password, Senrio researchers found. That means anyone who could connect to the NetBooter device and knew the proper syntax of the commands could control it, Ridley said. 听
When听Senrio researchers looked for NetBooter devices on听, a search engine that catalogs devices connected to the Internet, they found 83 of them in the US reachable from the public Internet.听The firm identified another nine in Canada and one each in Panama and Australia, Ridley noted. A search, more broadly, for SynAccess devices using Shodan identified more than 400 devices.
When contacted about the flaw and Senrio's findings,听SynAccess Network Chief Executive Officer听Shan Han听said he was only willing to speak with the company's customers about problems with its products. "Please stop calling," he said.
Web of vulnerabilities in global supply chain
Many security experts say that the kinds of flaws uncovered by BorderHawk and Senrio听are not limited to RPM devices or even to inexpensive hardware from small firms. Rather, they can be found in a wide range of hardware听including networking equipment, industrial control systems, and medical devices.
The problem听is a byproduct听of changes in the way that technology firms source and build their products, often relying on far-flung networks of manufacturers and suppliers who operate with little oversight or quality control.听
Computer products 25 years ago were assembled in Texas from parts made in Silicon Valley and shipped directly to retail stores and companies in the US, noted Caldwell from BorderHawk. Now, he said,听finished products are made of parts manufactured in China, Taiwan, the Philippines and Indonesia, assembled in China and shipped via a web of importers and distributors to stores and customers.听
When his firm began investigating听RPM devices, they noted that many products that were听labeled "Made in the USA" but were clearly sourced overseas.听Even casual, visual inspection of purchased RPMs turned up red flags, like misspellings on听product labels and compliance certificates on the products that were outdated.听
Ridley of Senrio said that his company's research on the NetBooter device even revealed the existence of a knock-off version of the SynAccess product they were analyzing, the NP-02R. Sold mostly in China and uses almost identical hardware and software. "The goal is to trick people into thinking this is a SynAccess device," he said. Such counterfeit products could eventually make their way into firms outside of China, further exposing them to risk, he said.
The problem, said听Mr. Grand of听Grand Idea Studio, is often that buyers aren't examining components going into much of the industrial equipment that's on the market today.听
"They just buy the hardware from a vendor that meets their specifications and that鈥檚 just accepted as good," he said. "Whatever hardware is in it, whatever software it鈥檚 running, that just goes into the final product."
Instead, he said, the supply chain for electronics should be examined as closely as the supply chain for food.听鈥淚f I鈥檓 sourcing a module, I want to go and see where it's made," he said. "I want to make sure it鈥檚 a legitimate package and that the company meets my standards."
听
