Vulnerabilities in Hong Kong Internet Devices

Release Date: 31 Jul 2015 2400 Views

A recent article titled “Security of Hong Kong Home Routers” published by HKCERT discussed how security vulnerabilities in common household routers were caused by the lack of proper configurations. According to a study conducted by Hewlett-Packard, vulnerabilities exist in 70% of devices on the Internet with a staggering average of 25 vulnerabilities per device.

Although these security vulnerabilities can be rectified through software updates, nonetheless updates are published infrequently for most of the devices have which may often take longer than a year between updates. Coupled with the fact that the lifespans of devices are relatively short, manufacturers frequently release new products as successors the previous versions while terminating their support and updates for the comparatively older devices. Attackers will target these vulnerable devices to gain control, obtaining the user’s sensitive information while using this device as a proxy to attack other devices.

HKCERT uses Shodan’s computer search engine to investigate and analyze the security of internet devices in Hong Kong. The search is based on three critical vulnerabilities from the past year.

NetUSB Vulnerability
NetUSB services connected USB devices ranging from printers, webcams to external hard drives to the Internet for users to access through their personal computers or smartphones. The service has been deployed in over 20% of internet devices. However, in May 2015, researchers found a security vulnerability in the NetUSB service. Remote users can exploit this vulnerability to execute arbitrary code and launch denial of service(DoS) attack.

On 10 July, we searched for related vulnerabilities and discovered that it was not a pervasive problem in Hong Kong and that only 13 devices allowed access to the NetUSB service over the Internet. As in most of the cases the NetUSB service was deployed in an intranet rather than an Internet, the lower amount of devices with this vulnerability was within the expected range. However, providers of free WiFi networks should be aware of the vulnerability and disable it if the service is unnecessary to prevent attacks.

Universal Plug and Play Vulnerability
Universal Plug and Play (UPnP) is a type of communication protocol. Its main function is to let devices automatically connect to the Internet and change the relevant configurations to simplify the process for end-users. The protocol has been commonly used since the 1990s with a variety of devices throughout the world. However, UPnP has many vulnerabilities and the update process has been arduous and slow, and thus despite the discontinued production many products have not received the proper updates.

On 10 July we searched for devices that were compromised and discovered 22,504 devices which enabled the UPnP service. 13,694 of the devices used MiniUPnPd to run the UPnP service, and 8,177 (approximately 36%) of the devices were still running the oldest version MiniUPnPd/1.0 (the current version is MiniUPnPd/1.9). Due to the fact that versions 1.5 and previous have severe vulnerabilities that can disrupt the service, and version 1.0 allowed remote users to execute arbitrary code, users should be advised to disable the UPnP service on their devices.

UPnP Version	Number was found
miniupnpd/1.0	8,177
miniupnpd/1.2	793
miniupnpd/1.3	2,534
miniupnpd/1.4	1,483
miniupnpd/1.5	707
Other/Unknown	8,810
Total:	22,504

Misfortune Cookie Vulnerability
Rompager is one of the most popular embedded web servers mainly providing devices functionality to manage and share files. In December 2014, a vulnerability named ‘Misfortune Cookie’ was discovered. Its root cause was the software’s mismanagement of HTTP cookies which allowed attackers to utilize this vulnerability to obtain administrative access of the device and change the device’s configurations. This vulnerability exists in all versions prior to 4.34.

We separately searched for this vulnerability on the 17 February and the 8 July in devices on the Hong Kong network. The two dates were chosen randomly. The results are listed in the table below:

Rompager version	First	Second
Use secure version	689	775
Use vulnerable version	606	402
Total:	1,295	1,177

Evaluating your devices:

If users want to understand what services are enabled on their devices, please navigate to the following links:

Inspect enabled services
ShieldsUP
SG Security Scan

Inspect whether UPnP is running
UPnP Checker

Advice to the general public:

The security of internet devices are often overlooked as many users do not regularly maintain their household internet devices after the initial setup. As time passes vulnerabilities will be discovered, and thus HKCERT advises users with internet devices to keep the following in mind:

Change the factory set passwords to a new secure password.
Inspect the services enabled by the manufacturers for both the Internet and Intranet, and disable any services that are infrequently used or unnecessary (such as UPnP and NetUSB).
Unless necessary, do not enable services for the Internet.
Periodically check for software updates for your device – download and update accordingly.
Choose devices made by reputable manufacturers.
If the manufacturers have stopped support for the device, consider obtaining a newer device that is still supported.

Almost every family in Hong Kong has installed a household router. Users can navigate to the website below and read the checklist for router maintenance for reference.

Router Security Feature Checklist

If you have further questions regarding household routers, come browse and read the article published by us “Security of Hong Kong Home Routers”。

Share with

Favourite Security Reads of the Week (31 Jul 2015)

31 Jul 2015 1310 Views