Flaws in networking devices highlight tech industry's quality control problem
Researchers have uncovered security vulnerabilities in widely used remote power management equipment that many say is the byproduct of a technology supply chain plagued with quality control issues.
AP
Security flaws discovered in common networking equipment could give malicious hackers a direct pipeline into data centers and business applications, even allowing them to remotely turn off power to criticalÌýinformation systems andÌýindustrial machinery.
Researchers at the Georgia cybersecurity firmÌýBorderHawk revealed to Passcode thatÌývulnerabilitiesÌýin a widely usedÌýtypeÌýof business hardware known asÌýremote power managers (RPM)ÌýmayÌýaffect thousands of companies across the country.
BorderHawkÌýwould not reveal the name of the company that makes the flawed hardware.ÌýBut it isÌýadvising businesses, which often rely on these kinds of network-connected devices to remotely manageÌýequipment, to ensure they aren't accessibleÌýfrom theÌýInternet andÌýto make sure they have beenÌýupdated with newer software and firmware.
Unfortunately,Ìýsecurity researchers sayÌýthese types of vulnerabilities are not uncommon and are often difficult to detect.ÌýAs companies add more networking devices or control system equipment to their overall business operations, especially those that are cheaply made overseas, they are often plugging in insecure equipment rife with vulnerabilities.
"We see lots of different devices, but a lot of the same problems," said Billy Rios, chief executive officer of the security startupÌýWhitescope.
The issue can often be chalked up to poor quality control in the supply chain of manufacturing business networking equipment, which largely takes place in China, say experts.
"Hardware is a misunderstood, unknown territory," said noted electrical engineer and inventorÌýJoe Grand of Grand Idea Studio. "People buy a piece of hardware and take it for granted. They assume it is secure. They assume it does what it does and only does what it does."
Small, inexpensive, and insecure
BorderHawk didn't set out to search for vulnerabilities in RPM devices. While working on another project at a large energy firm, its researchers noticed a steady stream of alerts about unusual traffic on their client's network, said Matt Caldwell, the company's chief security researcher.Ìý
He said the traffic wasÌýdisguised to look as if it came from a well-known defense contractor with no known connection to theÌýclient. ItÌýwas destined for computers in France, South Korea, Russia, and Britain. It also appeared the traffic had been on the company's network for as long as a year.
That discovery set off a hunt for the origin of the traffic that ended with theÌý5-by-6 inch RPM device: simple network hardwareÌýcontaining two power outlets to plug in equipment as well as an Ethernet and serial portsÌýfor connecting to the network or directly to another computer.Ìý
Caldwell said it isÌýdifficult to know whetherÌýRPM devices such as those studied by BorderHawk are merely the first entry point hackers can detect in an organization or whether hackersÌýare targeting the devices specifically.
After discovering the flaw, Caldwell's team attempted to contact the manufacturer,Ìýto little effect. "They were elusive," he said. "They kept asking us what the [uniqueÌýmachineÌýaddress] of the device was or demanding that we send the hardware back to them."
Since the vendor was uncooperative, BorderHawkÌýwrote its own, custom tool to extract the software from the device and analyze it. Researchers also went online and purchased different versions of the same device to analyze those.
They foundÌýmore reasons for concern.ÌýA help fileÌýin the productÌýcontained a link to a known, malicious domain located in China.ÌýAnÌýanalysis of the device firmware found undocumented features: hidden commands that could be used to dump a list of user accounts and passwords to access the device, and other commands whose function was unknown, said Caldwell.
BorderHawk's discovery isn't the first time that security researchers have uncovered problems in RPM devices.
For instance, Shawn Merdinger, chief information security officer at Valdosta State University inÌýValdosta, Ga.,ÌýÌýposed by iBootbar RPM devices deployed on corporate networks, but accessible from the public Internet,Ìýat a recent security conference in Tampa, Fla.
More recently, theÌýsecurity consulting firmÌýSenrio Inc. (formerly called Xipiter)Ìýfound similarÌýproblemsÌýto those identified by Border HawkÌýin anÌýRPM device – theÌýNetBooter NP-02B –Ìýmade by the ArizonaÌýfirmÌýSynAccessÌýNetworks.Ìý
OneÌýhidden feature in the device's firmwareÌýletsÌýanyoneÌýremotely reset the NetBooter device to its factory default configuration – an action that would sever it from the network.ÌýAnotherÌýallowsÌýanyone to modify network and system settings. A third, hidden function could be used to extract data (like a recently entered password) stored in the device’s memory, according to Stephen Ridley, a principal at Senrio. Ìý
In many cases the hidden functions can be used without needing a user name or password, Senrio researchers found. That means anyone who could connect to the NetBooter device and knew the proper syntax of the commands could control it, Ridley said. Ìý
WhenÌýSenrio researchers looked for NetBooter devices onÌý, a search engine that catalogs devices connected to the Internet, they found 83 of them in the US reachable from the public Internet.ÌýThe firm identified another nine in Canada and one each in Panama and Australia, Ridley noted. A search, more broadly, for SynAccess devices using Shodan identified more than 400 devices.
When contacted about the flaw and Senrio's findings,ÌýSynAccess Network Chief Executive OfficerÌýShan HanÌýsaid he was only willing to speak with the company's customers about problems with its products. "Please stop calling," he said.
Web of vulnerabilities in global supply chain
Many security experts say that the kinds of flaws uncovered by BorderHawk and SenrioÌýare not limited to RPM devices or even to inexpensive hardware from small firms. Rather, they can be found in a wide range of hardwareÌýincluding networking equipment, industrial control systems, and medical devices.
The problemÌýis a byproductÌýof changes in the way that technology firms source and build their products, often relying on far-flung networks of manufacturers and suppliers who operate with little oversight or quality control.Ìý
Computer products 25 years ago were assembled in Texas from parts made in Silicon Valley and shipped directly to retail stores and companies in the US, noted Caldwell from BorderHawk. Now, he said,Ìýfinished products are made of parts manufactured in China, Taiwan, the Philippines and Indonesia, assembled in China and shipped via a web of importers and distributors to stores and customers.Ìý
When his firm began investigatingÌýRPM devices, they noted that many products that wereÌýlabeled "Made in the USA" but were clearly sourced overseas.ÌýEven casual, visual inspection of purchased RPMs turned up red flags, like misspellings onÌýproduct labels and compliance certificates on the products that were outdated.Ìý
Ridley of Senrio said that his company's research on the NetBooter device even revealed the existence of a knock-off version of the SynAccess product they were analyzing, the NP-02R. Sold mostly in China and uses almost identical hardware and software. "The goal is to trick people into thinking this is a SynAccess device," he said. Such counterfeit products could eventually make their way into firms outside of China, further exposing them to risk, he said.
The problem, saidÌýMr. Grand ofÌýGrand Idea Studio, is often that buyers aren't examining components going into much of the industrial equipment that's on the market today.Ìý
"They just buy the hardware from a vendor that meets their specifications and that’s just accepted as good," he said. "Whatever hardware is in it, whatever software it’s running, that just goes into the final product."
Instead, he said, the supply chain for electronics should be examined as closely as the supply chain for food.Ìý“If I’m sourcing a module, I want to go and see where it's made," he said. "I want to make sure it’s a legitimate package and that the company meets my standards."
Ìý