Nuuo/Netgear's worrying approach to router security
The prevalence of devices which connect to the Internet in a connected home is increasing with intelligent thermostats, smoke alarms and lighting systems. This has resulted in a more complex series of security incidents with vulnerable thermostats recently being in the news. Responsible vendors engage with the community in identifying security vulnerabilities with their products, encouraging security researchers to work with them.
"The web interface contains a number of critical vulnerabilities that can be abused by unauthenticated attackers. These consist of monitoring backdoors left in the PHP files that are supposed to be used by NUUO's engineers, hardcoded credentials, poorly sanitised input and a buffer overflow which can be abused to achieve code execution on NUUO's devices as root, and on NETGEAR as the admin user.Announcement on full-disclosure mailing list
Given many embedded systems run a cut down version of some flavour of Linux, security vulnerabilities are not unusual and you would expect to see these from time to time. What is more concerning is the fact the vendors appear uninterested or unduly slow in addressing the vulnerabilities.
CERT/CC is a group within the U.S. that takes on the role of co-ordinating vulnerability announcements, giving vendors an opportunity to fix issues before vulnerabilities are publicly disclosed. They help to ensure security patches are readily available, minimising the number of 'zero day' vulnerabilities (i.e. vulnerabilities for which no fix/workaround is available).
Worryingly, for months both vendors failed to respond to the researchers or CERT/CC in a meaningful way, resulting in customers having completely vulnerable unpatched systems which can be accessed by third parties.
28/02/2016: Disclosure to CERT/CC.
27/04/2016: Requested status update from CERT - they did not receive any response from vendors.
06/06/2016: Requested status update from CERT - still no response from vendors. Contacted Nuuo and NETGEAR directly. NETGEAR responded with their "Responsible Disclosure Guidelines", to which I did not agree and requested them to contact CERT if they want to know the details about the vulnerabilities found. No response from Nuuo.
13/06/2016: CERT sent an update saying that NETGEAR has received the details of the vulnerabilities, and they are attempting to contact Nuuo via alternative channels.
07/07/2016: CERT sent an update saying that they have not received any follow up from both Nuuo and NETGEAR, and that they are getting ready for disclosure.
17/07/2016: Sent an email to NETGEAR and Nuuo warning them that disclosure is imminent if CERT doesn't receive a response or status update. No response received.
01/08/2016: Sent an email to NETGEAR and Nuuo warning them that disclosure is imminent if CERT doesn't receive a response or status update. No response received.
04/08/2016: Coordinated disclosure with CERT.Timeline in full-disclosure post
NETGEAR responded to our tweet about this issue..
The full response was:
@thinkbroadband Thank you for your concern. NETGEAR values your input and takes the security of our customers and their data very seriously. We regularly monitor our products for security issues and we provide detailed information at www.netgear.com/about/security . In addition, if you have any security concerns, you can reach us at [email protected]
NETGEAR in particular are a major vendor who build many of the routers we use today (either branded NETGEAR or rebadged by others such as Virgin Media), causing particular concern with the apparent lack of engagement with security researchers/coordinators (despite their security policy) who identify flaws with their product. As the gatekeeper of your Wi-Fi and broadband connection, we would have expected NETGEAR to adopt a far more positive approach to security, even if it's within another product line.
NETGEAR have since addressed the specific issue raised here in a knowledge base article which includes a link to fix the issue.