April 19, 2007 2:54 PM PDT

Bug hunter targets routers, other gadgets

VANCOUVER, B.C.--Software that runs home routers, cell phones and personal digital assistants is rife with security bugs, an expert said Thursday.

Barnaby Jack, a Juniper Networks security researcher, gave a tutorial at the CanSecWest conference here on how bug hunters can find exploitable vulnerabilities in such devices and demonstrated an attack on a D-Link router using a yet-to-be-patched hole.

"Security flaws are abundant on these devices," Jack said. "Security needs to reach further than a home PC. Insecure devices pose a threat to the entire network. Hardware vendors must take security into consideration."

There hasn't yet been a large amount of security research into the type of software Jack looks at. This is code that runs gadgets equipped with ARM, MIPS, XScale and PowerPC microprocessors. However, researchers appear increasingly interested in finding ways to attack routers and other such "embedded" devices.

In examining software from various devices, Jack found that there are many exploitable "null pointers" in the code. "Vulnerabilities that are near dead in the PC realm are abundant," he said. "This is a new class of attack...This is a remote attack the same way as a buffer overflow or a heap overflow, but it is more reliable."

Null pointers have often been disregarded as insignificant bugs, but according to Jack, the bugs can in fact allow full compromise on embedded devices. A null pointer is a command used in programming to direct a software program to an empty location in memory.

An attacker could run unauthorized software on a device connected to a network. Criminals could use this kind of attack to steal sensitive information from mobile phones and PDAs or monitor and redirect Internet traffic on routers.

To find bugs, the software needs to be extracted from the device and analyzed, Jack said. This could be done using a gadget that connects to hardware interfaces, such as JTAG (Joint Test Action Group) or UART (Universal Asynchronous Receiver Transmitter), commonly available on the devices, he said. Alternatively, manufacturers sometime conveniently make their software available online.

In a demonstration, Jack launched an attack on a D-Link router. He showed how he could remove password protection on the router and enable remote administration capability. He subsequently uploaded modified software to the router that included a "watchdog" tool he created to monitor activity.

The particular D-Link hole Jack used in the demonstration is not exploitable over the Internet--an attacker has to be connected to the vulnerable device. However, many other vulnerabilities of this type exist that do allow attacks via the Internet, he said.

One way hardware makers can prevent bug hunters from finding flaws in their code is by hiding their software better, Jack said. For example, commercial devices should not have JTAG traces that let people copy the software. "No debugging functionality needs to remain," he said.

See more CNET content tagged:
gadget, hardware maker, attack, researcher, router

2 comments

Join the conversation!
Add your comment
Who does this affect?
I'm confused about this. I noticed that there is mention of PowerPC. Does this mean this affects Macs with a PowerPC processor?
Posted by electronicthroat (1 comment )
Reply Link Flag
likely not
This quote from the article ...

"In examining software from various devices, Jack found that
there are many exploitable "null pointers" in the code"

... seems to implicate the lightweight software/OS system on the
devices themselves, which can be running PPC processors
among others.

I see no way to warp that into a Mac vulnerability.
Posted by Dalkorian (3000 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.