There’s no doubt that networked resources like printers, scanners, and storage devices have a huge degree of utility. But cheaper and older peripherals don’t always have the gumption to connect via Wi-Fi or ethernet. USB is the only option, or at the least, it’s far cheaper. Networking USB devices is thus a clever workaround. Apple has supported external access to printers via AirPort Express since 2004, and to storage via its AirPort Extreme and Time Capsule base stations since 2007.
A licensed technology called NetUSB made by a Taiwanese firm has extended the same sort of capability to many millions of routers and other network hubs, including those made by Netgear and Zyxel. Using client software available for OS X and Windows, USB devices can be plugged in and then accessed almost like a shunt—as if the device were plugged locally to the computer—rather than a network-shared item as with Apple.
And researchers at SEC Consult have discovered that the software has a simple local exploit that comes from sending a router or other hardware with NetUSB installed a computer name that’s longer than expected. This flaw allows the networking hardware to be potentially hijacked, which could result in firmware being overwritten with malicious software and the ability to use the router as a way to monitor traffic and distribute malware to susceptible machines on the same network.
While the software seemingly uses robust encryption for authentication between the client software and the networked hardware, the encryption keys are baked into software and simply retrievable, as well as being identical across all versions of the software. This escaped or wasn’t considered as part of the due diligence of the hardware makers licensing the software.
What can you do about it? Of the many companies that distribute the NetUSB software with their products, only one has produced updated firmware or options to remove the flaw or mitigate the vulnerability by disabling the feature. The only way to solve the problem is replace the affected hardware or hope the vendor ultimately releases an update.
What’s at risk
This exploit has to be carried out over a local network, at least in the scenario described by SEC Consult. If a gray-hat or black-hat hacker develops and distributes an easily used crack, then cafés and other public places that use routers with unpatched and enabled versions of NetUSB could be at risk.
While it’s much harder to launch effective proximity attacks, because an attacker has to visit the location to carry it out, some spots are valuable because they have computer-based cash registers or other data on the network that can be accessed and used to transfer money or gather data for identity theft.
It’s unknown how many attacks originate in public, rather than over the Internet. But having easily exploited, widely used devices susceptible without patches available certainly opens up an opportunity.
SEC Consult also found that some devices—though not ones they tested—expose access to the USB device over the Internet at a specific port. If that turns out to be the case on a broad scale, we’ll immediately see attempts to use that vector, which turns it into a global problem rather than a local one. This has happened repeatedly with exposed services, like web-enabled cameras and screen-sharing software.
The researchers found that nearly 100 models affected out of major vendors whose firmware disk images they tested could be vulnerable. Many others could also be susceptible. At least millions of routers are at risk. Despite following responsible disclosure practices, only TP-Link has released updates. The other makers have fallen down.
Open says me
The NetUSB case is all too common. Networked hardware, including set-top boxes, Wi-Fi routers and broadband modems provided by telephone, cable, and other television-service companies, is rarely updated to fix security flaws. If a company or its software module provider create updates, most hardware doesn’t notify you of fixes.
I’ve been writing stories for years about these risks, both to educate readers and potentially provide fodder for product managers or others inside companies trying to get the funding or support to have an ongoing path for security upgrades and user notifications. Most mainstream hardware churns so quickly through product options and technical specs that any model you buy is simply dropped from a support path not long after it’s made.
Better brands support products longer, but not as long as they can be useful. Apple’s record on this front is mixed, as I and many others have written. It gets away with dropping support for older but not very old versions of OS X and iOS with security upgrades because it generally offers upgrades to years-old gear and provides fixes for exploits back at least one version.
Because so many Apple product users upgrade to newer OS versions quickly, the exploit target for older users rapidly becomes so small, there’s little incentive for criminals (or even vandals) to go after these old problems.
Networked devices change the equation, and Apple has a much better track record at patching Wi-Fi routers dating way, way back. Apple’s chain of firmware updates (including a few stinkers later fixed) for its 802.11n routers allow every Extreme and Time Capsule model it made between 2007 and 2013 to be upgraded. The introduction of 802.11ac in mid-2013 started a new chain, but I still expect firmware updates if security flaws are discovered in the older devices. (The last 802.11n update for them was in 2013 after the 802.11ac base stations had shipped.)
By default, AirPort Utility on every computer on which it’s installed will alert you to new firmware and other potential security issues on Apple base stations unless you disable those notices. This is also a great way to push people towards updates.
There’s no central body in the hardware industry nor in most countries a regulator responsible for ensuring updates are made available and distributed. It’s entirely up to the companies making it unless fraud or other criminal matters are concerned, in which case agencies like America’s FTC or FCC can get involved, depending on the product, and compel updates or sue to force them.
It’s a sad problem for consumers who are the victims of these practices, and I expect I’ll be writing about this again and again and again until some set of collective responsibility emerges—or a sufficient liability becomes exposed.