Critical vulnerabilities in Ruckus IoT affect millions of devices

Reporting vulnerabilities on Internet of Things (IoT) devices has become very common among ethical hacking experts. One of the latest reports has to do with Ruckus IoT Software Suite, a hardware and software infrastructure employed by multiple IoT device manufacturers.

One of the most prominent members of this set
is IoT Controller, a virtual controller that handles connectivity, device
management, and security of non-WiFi devices.

Most of the functionality of this driver
requires some form of authentication, although some others ignore this
requirement, allowing unauthorized users to issue commands, which could result
in a security breach. According to ethical hacking specialists, unprotected
features can be abused by unauthenticated remote threat actors to gain access
to the target system with high privileges and deploy some malicious activities,
such as:

  • Remote
    manipulation of pre-authentication settings
  • Full
    access and manipulation of backups
  • Download
    and update other firmware versions
  • System
    service control
  • Remote
    factory reset of the server

The vulnerability was tracked as CVE-2020-8005.

Changing remote

The service located at /service/init manages the configuration. When you send it an
HTTP PATCH request, the supplied JSON formatted configuration will be
interpreted and saved. This allows you to alter some important settings, such
as DNS servers.

The device must restart its services, which
should happen automatically as part of your routine, completing the changes.

Manipulation of
arbitrary backups

The backup manipulation service, located in /service/v1/db, allows three operations: upload, download,
and delete backup files.

  • Upload

When you send an HTTP POST request to /service/v1/db/restore, the server restores the requested backup file
to the request body. This name can be known beforehand or forced, as the file
name follows a specific pattern. The device will restart to restore the
arbitrarily chosen backup.

  • Downloading

Sending an HTTP GET to /service/v1/db/backup with the file name as a parameter will provide
you with the requested backup file, mention edify ethical hacking specialists.
This name can be known in advance or decryption using a brute force attack.

  • Delete

Sending an HTTP DELETE request to /service/v1/db/backup will allow the deletion of the backup files.
The backup file name is provided through the parameter.

The International Institute of Cyber Security (IICS)
constantly tracks the latest security threats for wireless
and IoT devices, as attacks against this technology show
accelerated growth.

To Top

Pin It on Pinterest

Share This