How Firedome Protects Millions of IoT Devices From Hijacking from a new OpenWRT Vulnerability
Critical Remote Code Execution Bug in Linux Based OpenWRT OS Affects Millions of IoT Devices
This week, a MAJOR critical vulnerability was discovered in the OpenWRT operating system for IoT devices. Exploitation of this vulnerability allows attackers to inject a malicious payload on the vulnerable systems, meaning they can install malware, gain full control of the device and hijack it completely.
Exploitation of this vulnerability in the wild could create malwares with infection capabilities that are comparable to the spread of the recent COVID-19 virus.
OpenWRT is a Linux based operating system mainly used on embedded devices, IoT and network routers to route network traffic and is installed on hundreds of millions of devices worldwide.
The vulnerability has existed for 3 years (!), tracked as CVE-2020-7982. It resides in the OPKG package manager of OpenWRT where integrity checking of downloaded packages is performed using the SHA-256 checksums embedded in the signed repository index.
While an ‘opkg install’ command is invoked on the victim system, the flaw could allow a remote man-in-the-middle attacker in position to intercept the communication of a targeted device to execute arbitrary code by tricking the system into installing a malicious package or software update without verification.
If exploited successfully, a remote attacker could gain complete control over the targeted OpenWRT device, and subsequently, over the network traffic it manages if it’s being used as a gateway.
End of Life Support by OpenWRT
The vulnerability affects most of the versions of OpenWRT out there. While there is already an update for the newer versions, the older versions of OpenWRT (e.g. OpenWRT 15.05 and LEDE 17.01) are end of life and not supported any more, meaning they will remain vulnerable, and device manufacturers must upgrade their firmware with a newer version of the OS, adapt their software to support it and issue an emergency OTA update to their entire device base.
Not The First Time
How Can Firedome Help?
Having Firedome installed on a device base translates into three vital, immediate benefits:
- Protect device base from hijacking & save on breach costs: protect against exploitation
- Save costly R&D resources: update and fix the bug
- Generate Revenue: externalize security to end-user
Protect Device Base From Hijacking & Save on Breach Costs: Protect Against Exploitation
As shown by the recent plague of Mirai attack variants, Firedome can prevent an exploitation of this vulnerability and malicious payload injection or execution of malwares.
Other than the core security capabilities of the Firedome platform, our patent-pending technology offers unique mechanisms to specifically mitigate this type of attack surface:
Whether the exploitation involves known or unknown (zero-day) vulnerabilities, such as in this case, Firedome’s Behavioral-based Protection (0-day protection) can detect remote code execution exploit attempts and block them in real-time. The agent constantly monitors for activities of every running process, alerting and responding to malicious behaviors spawned by vulnerable binaries, such as installation of an unknown package by the opkg binary.
Firedome’s Machine Learning based cloud, with its unique IoT Threat Intelligence and security analytics can also detect large scale attacks, malicious IPs reaching devices and new abnormal patterns across the fleet, respond to them and block them on the entire fleet automatically before they can spread to other devices.
Save Costly R&D Resources: Update and Fix the Bug
IoT manufacturers using this OS on their device base must divert R&D resources to fixing this vulnerability, testing and issuing an update across their entire device base as fast as possible to reduce the risk of a breach.
Beyond just protecting against the vulnerability, it’s always a good practice to fix known issues. Firedome’s agent offers remote update capability, which enables patching of the vulnerable process (opkg binary) with a fixed one, without diverting R&D teams and going through all the OTA process, saving those costs and allowing them to focus on product development.
Generate Revenue: Externalize Security to End Users
Looking at the broader picture for IoT manufacturers, having the capability to proactively prevent both known and unknown vulnerabilities like this before an attack is about more than just being able to respond quickly and patch the problem at a minimal brand and R&D cost.
Manufacturers who make the right proactive security investments also benefit from a positioning advantage and drive the message to consumers that they are the security leaders in their space and capitalize on the higher willingness to pay and 28% of consumers who are interested in Smart Home products, but specifically do not purchase them due to security concerns!
Firedome works with leading IoT manufacturers to not only provide them with an autonomous agent-based, software only solution to threats, but work with them to properly activate and bring these capabilities to market to educate end users on how we are filling this void in IoT security.