Reporting vulnerabilities on Internet of Things (IoT) devices has become very common among ethical hacking experts. One of the latest reports has to do with Ruckus IoT Software Suite, a hardware and software infrastructure employed by multiple IoT device manufacturers.
One of the most prominent members of this set is IoT Controller, a virtual controller that handles connectivity, device management, and security of non-WiFi devices.
Most of the functionality of this driver requires some form of authentication, although some others ignore this requirement, allowing unauthorized users to issue commands, which could result in a security breach. According to ethical hacking specialists, unprotected features can be abused by unauthenticated remote threat actors to gain access to the target system with high privileges and deploy some malicious activities, such as:
- Remote manipulation of pre-authentication settings
- Full access and manipulation of backups
- Download and update other firmware versions
- System service control
- Remote factory reset of the server
The vulnerability was tracked as CVE-2020-8005.
Changing remote settings
The service located at /service/init manages the configuration. When you send it an HTTP PATCH request, the supplied JSON formatted configuration will be interpreted and saved. This allows you to alter some important settings, such as DNS servers.
The device must restart its services, which should happen automatically as part of your routine, completing the changes.
Manipulation of arbitrary backups
The backup manipulation service, located in /service/v1/db, allows three operations: upload, download, and delete backup files.
- Upload backups:
When you send an HTTP POST request to /service/v1/db/restore, the server restores the requested backup file to the request body. This name can be known beforehand or forced, as the file name follows a specific pattern. The device will restart to restore the arbitrarily chosen backup.
- Downloading backups:
Sending an HTTP GET to /service/v1/db/backup with the file name as a parameter will provide you with the requested backup file, mention edify ethical hacking specialists. This name can be known in advance or decryption using a brute force attack.
- Delete backups:
Sending an HTTP DELETE request to /service/v1/db/backup will allow the deletion of the backup files. The backup file name is provided through the parameter.
The International Institute of Cyber Security (IICS) constantly tracks the latest security threats for wireless networks and IoT devices, as attacks against this technology show accelerated growth.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
